Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2866
Views
0
Helpful
2
Replies

ASA IPsec site to site Failover

NETAD
Level 4
Level 4

‎10-13-2020 03:36 PM

Hello, I’ve configured a IPsec tunnel between a remote site ASA and a headend ASA. The remote site ASA has 2 Internet circuits so 2 crypto maps tied to each outside interface. The headend ASA has one internet circuit with one crypto map with 2 peers. Failover is configured on the remote ASA via ip sla and tracking. Failover is working correctly and the tunnels are getting established but for the first 15 mins there are consistent flapping and then it stables out. What would be the reason for that? Is there anything I can configure on the headend ASA to flush the dead tunnel? Maybe tunnel keepalives or dead peer detecttion?

0 Helpful
2 Replies 2

Mohammed al Baqari
Level 11
Level 11

‎10-13-2020 06:56 PM

Hi, enable dpd to clear sa for none responding peer.

**** please remember to rate useful posts
0 Helpful

Aref Alsouqi
VIP
VIP

‎10-13-2020 10:56 PM

Take a look at this blog post of mine, although it is more focus on how to implement preemption with redundant site-to-site VPN tunnel, but it might be helpful in your scenario:

https://bluenetsec.com/cisco-asa-ipsec-site-to-site-vpn-preemption/

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top