Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
864
Views
0
Helpful
1
Replies

Cisco ASA - Use Path Monitoring for VPN Failover?

dervari
Level 1
Level 1

‎10-01-2019 08:19 AM

Does the ASA have a mechanism by which we can monitor a VPN tunnel using an SLA/Track to a private IP on the remote side and if the SLA fails, re-reroute traffic via a second VPN configured to a different peer?  A partner has this type of configuration set up on a Palo Alto where they are pinging a device on our LAN and if they miss pings to it the VPN fails over to a separate physical box on a different WAN IP.

 

The problem we are having is that their routes fail over but we don't.  We have a secondary peer configured and our side will not fail over to the secondary peer unless the IPSec connection to the primary fails, which it doesn't.

 

Thanks.

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎10-01-2019 01:32 PM

Hi,

So are you saying that the IPSec tunnel is still established even though the other end is down? In which case ensure Dead Peer Detection (DPD) is configured, guide here. This will clear the IPSec SA if the remote peer is down, therefore you secondary peer should then establish a tunnel

 

HTH

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents