We have an ASA at site A and site B, connected via a mpls circuit on their inside interface.

We have IP SLA tracking set up so if the circuit goes down, it drops those static routes, and routes the traffic out the outside interface to the internet via an ipsec tunnel.

The failover works ok, we bring down the mpls circuit and the firewalls route traffic via the outside interface through the ipsec tunnel.

However when we bring the mpls circuit up, and routes are restored to go via circuit on the inside interface, some traffic was reported to still traverse the ipsec tunnel until the vpn was manually brought down.

When the routes are restored via the internal circuit, existing connections will still be in the ASAs via the ipsec tunnel. Looking at the packet flow, if there is an existing connection it skips ACL and translation lookup.

http://www.cisco.com/image/gif/paws/113396/asa-packet-flow-00.pdf

Then the egress interface is determined based on the translation lookup. Is it possible that even though the route says to route 10.x.x.x inside, that because there is an existing connection, with a nonat xlate between (dmz,outside) that the egress interface is the outside via the ipsec tunnel vs inside to the mpls circuit?

I have yet to get time with the far end guy to look at connection tables and packet captures to verify. But can anyone confirm if the following behavior is true?

Thanks!