topic Re: L2L VPNs on ASAs and failover question in Network Security

L2L VPNs on ASAs and failover question

mjsully — Mon, 11 Mar 2019 15:03:15 GMT

If I have a pair of ASA firewalls terminating several IPSEC vpn L2L connections, and these firewalls are configured for failover, what happens to the active tunnels if a failover occurs? Is there a disruption or is it transparent? Finally, is there any special config required to make it happen?

Re: L2L VPNs on ASAs and failover question

JORGE RODRIGUEZ — Wed, 11 Mar 2009 15:57:33 GMT

Hi,

The theory behing Ipsec in ASA A/S architecture is when you configure stateful failover the isakmp and IPsec SA table is passed onto standby, so in theory you should not see disruption in a failover , personaly I have yet to test this in a IPsec scenario.

see stateful failover

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#statef

Quote from above link -

The state information passed to the standby unit includes these:

The NAT translation table

The TCP connection states

The UDP connection states

The ARP table

The Layer 2 bridge table (when it runs in the transparent firewall mode)

The HTTP connection states (if HTTP replication is enabled)

The ISAKMP and IPSec SA table

The GTP PDP connection database

Re: L2L VPNs on ASAs and failover question

cvoisin — Wed, 01 Apr 2009 21:54:13 GMT

In my experience, with ASAs what will happen is the SAs will indeed move from the primary to the standby ASA. The standby ASA becomes the active ASA. The remote sites still think the original ASA is still up and unfortunately still hold onto their SAs. These SAs on the remote end will not work. I speculate this is because the hardware hashs are going to fail on the IPsec integrity checks. The remote ends manually have to have their SAs purged with a clear crypto sa. After that, re-initiate interesting traffic, and then your tunnels will come back up on the "new" primary ASA.

Re: L2L VPNs on ASAs and failover question

vikram_anumukonda — Thu, 02 Apr 2009 02:09:17 GMT

I agree with Jorge, There will be no disruption and I did test it out.

Re: L2L VPNs on ASAs and failover question

cvoisin — Thu, 02 Apr 2009 03:11:07 GMT

I'm not sure if you guys are misinformed, but stateful IPsec failover is NOT supported by the ASA. This was confirmed by my local SE. Your SAs will need to be purged on the remote side.

Our ASA right now is flaking out on the primary and is failing right now between active and standby states. The remote VPNs are "staying up" and there are SAs in both the ASA and the remote VPN site routers. Unfortunatly as I said the traffic is not passing over the VPN. So, once I reviewed this with my SE he said you have to go back in and actually remove the SAs from the far end routers and re-initiate interesting traffic. Voila...it works like cake.

I don't want to disagree with anyone too strongly, but again in my experience it doesn't work. I did notice that with a 3800 or greater you can do stateful IPsec failover between two routers that are your VPN termination devices, but all PIX and ASA documentation only shows that the SAs are maintained on the standby device. Nothing in regard to them continuing to work is mentioned.

Re: L2L VPNs on ASAs and failover question

mtoure2009 — Thu, 02 Apr 2009 09:11:44 GMT

Please I have already set up a VPN site to site with Asa 5540 . And I want to set up a 2nd VPN but the 2nd VPN is not working. How can I add 2nd VPN with ASA ASDM ?