03-11-2009 07:44 AM - edited 03-11-2019 08:03 AM
If I have a pair of ASA firewalls terminating several IPSEC vpn L2L connections, and these firewalls are configured for failover, what happens to the active tunnels if a failover occurs? Is there a disruption or is it transparent? Finally, is there any special config required to make it happen?
03-11-2009 08:57 AM
Hi,
The theory behing Ipsec in ASA A/S architecture is when you configure stateful failover the isakmp and IPsec SA table is passed onto standby, so in theory you should not see disruption in a failover , personaly I have yet to test this in a IPsec scenario.
see stateful failover
Quote from above link -
The state information passed to the standby unit includes these:
The NAT translation table
The TCP connection states
The UDP connection states
The ARP table
The Layer 2 bridge table (when it runs in the transparent firewall mode)
The HTTP connection states (if HTTP replication is enabled)
The ISAKMP and IPSec SA table
The GTP PDP connection database
04-01-2009 07:09 PM
I agree with Jorge, There will be no disruption and I did test it out.
04-01-2009 08:11 PM
I'm not sure if you guys are misinformed, but stateful IPsec failover is NOT supported by the ASA. This was confirmed by my local SE. Your SAs will need to be purged on the remote side.
Our ASA right now is flaking out on the primary and is failing right now between active and standby states. The remote VPNs are "staying up" and there are SAs in both the ASA and the remote VPN site routers. Unfortunatly as I said the traffic is not passing over the VPN. So, once I reviewed this with my SE he said you have to go back in and actually remove the SAs from the far end routers and re-initiate interesting traffic. Voila...it works like cake.
I don't want to disagree with anyone too strongly, but again in my experience it doesn't work. I did notice that with a 3800 or greater you can do stateful IPsec failover between two routers that are your VPN termination devices, but all PIX and ASA documentation only shows that the SAs are maintained on the standby device. Nothing in regard to them continuing to work is mentioned.
04-01-2009 02:54 PM
In my experience, with ASAs what will happen is the SAs will indeed move from the primary to the standby ASA. The standby ASA becomes the active ASA. The remote sites still think the original ASA is still up and unfortunately still hold onto their SAs. These SAs on the remote end will not work. I speculate this is because the hardware hashs are going to fail on the IPsec integrity checks. The remote ends manually have to have their SAs purged with a clear crypto sa. After that, re-initiate interesting traffic, and then your tunnels will come back up on the "new" primary ASA.
04-02-2009 02:11 AM
Please I have already set up a VPN site to site with Asa 5540 . And I want to set up a 2nd VPN but the 2nd VPN is not working. How can I add 2nd VPN with ASA ASDM ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide