topic Problem with returning to the main VTI channel between ASA5508 and C881 in Network Security https://community.cisco.com/t5/network-security/problem-with-returning-to-the-main-vti-channel-between-asa5508/m-p/4435268#M1082352 <PRE><SPAN class="Y2IQFc">I have an ASA5508 at the main office, which has two Internet providers, and also has branches with which VTI tunnels are built. When the primary link of the ASA5508 fails, the routers switch to the backup, but when the primary link of the ASA returns, the failover does not occur, for this reason, the connection with the branches is cut off. I have to go to the router and write the command "clear crypto isakmp" and then the channel returns</SPAN></PRE><PRE><SPAN class="Y2IQFc">I suspect that some isakmp buffer is overflowing due to which the visibility of the logical tunnel of the main VTI channel disappears</SPAN></PRE><PRE><SPAN class="Y2IQFc">Configure a Router:<BR /><BR /></SPAN></PRE><P>rack 1 ip sla 1 reachability<BR />!<BR />!<BR />crypto isakmp policy 10<BR />encr aes 256<BR />authentication pre-share<BR />group 14<BR />lifetime 28800<BR />crypto isakmp key ***** address ***.***.**.***<BR />crypto isakmp key ****** address **.***.**.***<BR />!<BR />!<BR />crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac<BR />!<BR />crypto ipsec profile IPSEC_PROFILE<BR />set transform-set TSET</P><P><BR />interface Tunnel0<BR />description tunnel to MainChanell_ASA<BR />ip address 10.10.10.78 255.255.255.252<BR />tunnel source FastEthernet4<BR />tunnel mode ipsec ipv4<BR />tunnel destination ***.***.**.***<BR />tunnel protection ipsec profile IPSEC_PROFILE<BR />!<BR />interface Tunnel1<BR />description tunnel to BackupChanell_ASA<BR />ip address 10.10.10.154 255.255.255.252<BR />tunnel source FastEthernet4<BR />tunnel mode ipsec ipv4<BR />tunnel destination **.***.**.***<BR />tunnel protection ipsec profile IPSEC_PROFILE</P><P>interface FastEthernet4<BR />description Outside interface to ISP<BR />ip address dhcp<BR />ip nat outside<BR />ip virtual-reassembly in<BR />no ip route-cache cef<BR />duplex full<BR />speed auto<BR />no cdp enable</P><P><BR />ip sla 1<BR />icmp-echo ***.***.**.*** source-interface FastEthernet4<BR />threshold 1000<BR />timeout 1500<BR />frequency 3<BR />ip sla schedule 1 life forever start-time now</P><P><BR />ip route 192.168.0.0 255.255.0.0 10.10.10.77 track 1<BR />ip route 0.0.0.0 0.0.0.0 ***.***.**.**<BR />ip route 192.168.0.0 255.255.0.0 10.10.10.153 254</P><PRE><SPAN class="Y2IQFc">&nbsp;</SPAN></PRE><P>&nbsp;</P> Mon, 19 Jul 2021 11:37:03 GMT NikolayRybnikov 2021-07-19T11:37:03Z Problem with returning to the main VTI channel between ASA5508 and C881 https://community.cisco.com/t5/network-security/problem-with-returning-to-the-main-vti-channel-between-asa5508/m-p/4435268#M1082352 <PRE><SPAN class="Y2IQFc">I have an ASA5508 at the main office, which has two Internet providers, and also has branches with which VTI tunnels are built. When the primary link of the ASA5508 fails, the routers switch to the backup, but when the primary link of the ASA returns, the failover does not occur, for this reason, the connection with the branches is cut off. I have to go to the router and write the command "clear crypto isakmp" and then the channel returns</SPAN></PRE><PRE><SPAN class="Y2IQFc">I suspect that some isakmp buffer is overflowing due to which the visibility of the logical tunnel of the main VTI channel disappears</SPAN></PRE><PRE><SPAN class="Y2IQFc">Configure a Router:<BR /><BR /></SPAN></PRE><P>rack 1 ip sla 1 reachability<BR />!<BR />!<BR />crypto isakmp policy 10<BR />encr aes 256<BR />authentication pre-share<BR />group 14<BR />lifetime 28800<BR />crypto isakmp key ***** address ***.***.**.***<BR />crypto isakmp key ****** address **.***.**.***<BR />!<BR />!<BR />crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac<BR />!<BR />crypto ipsec profile IPSEC_PROFILE<BR />set transform-set TSET</P><P><BR />interface Tunnel0<BR />description tunnel to MainChanell_ASA<BR />ip address 10.10.10.78 255.255.255.252<BR />tunnel source FastEthernet4<BR />tunnel mode ipsec ipv4<BR />tunnel destination ***.***.**.***<BR />tunnel protection ipsec profile IPSEC_PROFILE<BR />!<BR />interface Tunnel1<BR />description tunnel to BackupChanell_ASA<BR />ip address 10.10.10.154 255.255.255.252<BR />tunnel source FastEthernet4<BR />tunnel mode ipsec ipv4<BR />tunnel destination **.***.**.***<BR />tunnel protection ipsec profile IPSEC_PROFILE</P><P>interface FastEthernet4<BR />description Outside interface to ISP<BR />ip address dhcp<BR />ip nat outside<BR />ip virtual-reassembly in<BR />no ip route-cache cef<BR />duplex full<BR />speed auto<BR />no cdp enable</P><P><BR />ip sla 1<BR />icmp-echo ***.***.**.*** source-interface FastEthernet4<BR />threshold 1000<BR />timeout 1500<BR />frequency 3<BR />ip sla schedule 1 life forever start-time now</P><P><BR />ip route 192.168.0.0 255.255.0.0 10.10.10.77 track 1<BR />ip route 0.0.0.0 0.0.0.0 ***.***.**.**<BR />ip route 192.168.0.0 255.255.0.0 10.10.10.153 254</P><PRE><SPAN class="Y2IQFc">&nbsp;</SPAN></PRE><P>&nbsp;</P> Mon, 19 Jul 2021 11:37:03 GMT https://community.cisco.com/t5/network-security/problem-with-returning-to-the-main-vti-channel-between-asa5508/m-p/4435268#M1082352 NikolayRybnikov 2021-07-19T11:37:03Z