cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

436
Views
0
Helpful
7
Replies
Beginner

ASA 5500 Restored a failed unit now seeing issues with VPN tunnels.

I restored the HA pair back to Active/Standby.

1 remaining issue.

I have 3 IPsec Site-to_SIte tunnels.

I noticed that when the NEW UNIT becomes ACTIVE that I am unble to pass traffic over the VPN tunnels.

When I failback I am able to pass traffic.

Any ideas?

Thanks...

Everyone's tags (4)
7 REPLIES 7
Cisco Employee

ASA 5500 Restored a failed unit now seeing issues with VPN tunne

Can you pls check if the configuration gets synchronized to the new Unit, as well as you also have stateful failover configured?

Beginner

Re: ASA 5500 Restored a failed unit now seeing issues with VPN t

Yes - stateful failover is configured. I have attached the configuration for review.

The Sync appears fine. The unit operates fine for a few hours and then the traffic stops getting passed over the VPN tunnels. I perform a failover and traffic passes immediately.          

Hall of Fame Master

ASA 5500 Restored a failed unit now seeing issues with VPN tunne

Are those VPN tunnels perchance certificate-based? If so, you need to copy the certificates onto the replaced unit.

(Disk operations such as copying certificate files are not included in a configuration synchronization process.)

Beginner

Re: ASA 5500 Restored a failed unit now seeing issues with VPN t

They are not certificate-based!

Cisco Employee

Re: ASA 5500 Restored a failed unit now seeing issues with VPN t

Tom,

Can you say exactly what is happening on the new active box?

show crypto isakmp sa/show crypto ipsec sa

to see what exaclty is happening with the tunnels. It seems like a IPSEC replication issue.

Are versions on both boxes the same?

Beginner

Re: ASA 5500 Restored a failed unit now seeing issues with VPN t

See attached.

Versions are the same.

Highlighted
Cisco Employee

Re: ASA 5500 Restored a failed unit now seeing issues with VPN t

As I understand this output is from primary standby-ready or when it is active?

When you are intiating traffic are the counters in show crypto ipsec sa increasing?

The best would be to do some online debugging for it. If possible I would suggest to create TAC case for that.