Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
260
Views
0
Helpful
2
Replies

differences noticed between ASA running 9.5 and 9.1 for L2L VPNs

Richard Bradfield
Level 6
Level 6

‎12-22-2016 12:42 AM

We have just upgraded our ASA from a 5510 running 9.1 to a 5525 running 9.5

now we have about 25 L2L VPN tunnels running  a mixture of ikev1, ikev2 with  dynamic and static remote sites. these mainly used as backup links so not much traffic

With the old ASA the tunnels would always be up any re-negotiation was very quick. Now with the new ASA they go down and take a while to come up again

Are there any new commands in 9. 5 that affect L2L tunnels

On the side our Dynamic L2L tunnels are on 4G and run NAT-T (port4500). is there anyway to always negotiate using UDP 4500 instead of 500. It looks like the router tries 500 first then switches to 4500 when it uses NAT-T

Labels:
0 Helpful
2 Replies 2

Michael Muenz
Level 5
Level 5

‎12-25-2016 11:37 PM

Does the renogotiate affect your connectivity? If yes, you can add a ip sla to track an internal IP via the VPN so the tunnel is always up.

I would not force 4500, the protocol itself detects it quite good. In IOS there's a command to force udp nat transparency.

Michael Please rate all helpful posts
0 Helpful

Richard Bradfield
Level 6
Level 6
In response to Michael Muenz

‎12-26-2016 02:17 PM

the network has settled down now,It does seem to work much the same, except that it does take a bit longer to re-negotiate the vpn connection, but as these are backup links it does not really matter.

0 Helpful
Customers Also Viewed These Support Documents