09-26-2018 09:08 AM
Hi All,
I have an ASA in the field that has a VPN tunnel with two peer IP's listed; The first one is to DC1 and the 2nd one is to DC2.
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 12.x.xxx.20 50.xxx.xx.190
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
There is consistent traffic going over this VPN, so tunnel timeout never happens. What does happen, however, is VPN rekey. When this occurs, the tunnel re-establishes to the 2nd peer IP (DC2). I don't want that. I want them on DC1 unless DC1 fails. How can I make sure that happens?
09-26-2018 09:46 PM
09-28-2018 10:59 AM
This should not happen. When a rekey occurs, all you are doing is sending another additional negotiation between the primary peer and your ASA. This should not cause your ASA to establish a tunnel to secondary peer. Do you have debugs or logs during this time? Do you see your rekey failing to complete successfully? Who initiates the tunnel between ASA and secondary?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide