Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1200
Views
0
Helpful
2
Replies

How to stop VPN rekey on ASA

Dean Romanelli
Level 4
Level 4

‎09-26-2018 09:08 AM

Hi All,

I have an ASA in the field that has a VPN tunnel with two peer IP's listed; The first one is to DC1 and the 2nd one is to DC2.

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 12.x.xxx.20 50.xxx.xx.190
crypto map outside_map 1 set transform-set ESP-AES-256-SHA

There is consistent traffic going over this VPN, so tunnel timeout never happens.  What does happen, however, is VPN rekey.  When this occurs, the tunnel re-establishes to the 2nd peer IP (DC2). I don't want that. I want them on DC1 unless DC1 fails.  How can I make sure that happens? 

Labels:
0 Helpful
2 Replies 2

Mohammed al Baqari
Level 11
Level 11

‎09-26-2018 09:46 PM

This is controlled with routing rather than cryptos. Tunnel to DC2 won't be
established unless the routing table is pointing out of them and
interesting traffic starts flowing. You need to tweak your hold timers for
your routing protocol to avoid traffic going to DC2.
0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni

‎09-28-2018 10:59 AM

This should not happen. When a rekey occurs, all you are doing is sending another additional negotiation between the primary peer and your ASA. This should not cause your ASA to establish a tunnel to secondary peer. Do you have debugs or logs during this time? Do you see your rekey failing to complete successfully? Who initiates the tunnel between ASA and secondary?

0 Helpful
Customers Also Viewed These Support Documents