Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2284
Views
0
Helpful
5
Replies

site to site VPN failover and switchback

michaelzhq
Level 2
Level 2

‎10-05-2017 10:31 AM - edited ‎03-12-2019 04:36 AM

We are trying to figure out a backup VPN solution based on Cisco ASA.

 

The solution must meet the following requirements:

 - A single home Internet connection on ASA5506

- ASA5506 automatically connects to the ASA at Site A as a primary VPN tunnel

- If the Site A ASA is down, ASA5506 automatically fails over to the ASA at Site B as a secondary VPN tunnel, and automatically switch back to Site A when appropriate (not during active use)

- The switch over must be seamless

 

The fail-over is straightforward but how the switchback works as per the requirements?

 

Thanks for your helps!

 

Michael

1 person had this problem
Labels:
0 Helpful
5 Replies 5

GioGonza
Level 4
Level 4

‎10-05-2017 11:56 AM

Hello @michaelzhq

 

Unfortunately, when you have VPN failover and you are using the secondary tunnel, the ASA will not switchback to the primary if the primary comes available, one way to switchback is secondary VPN fails and start the VPN tunnel all over again or apply an EEM and perform the switchback automatically but this option will delete the secondary VPN in order to get the Primary working. 

 

This is the link for reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html.

 

HTH

Gio

0 Helpful

michaelzhq
Level 2
Level 2
In response to GioGonza

‎10-05-2017 01:45 PM

Thank you Gio., this is very good and useful info.

 

Just another question here. Without using EEM, if the 2nd VPN tunnel is disconneted due to idle timeout (no traffic for a certain time period), will ASA automatically establish 1st VPN tunnel for new traffic?

0 Helpful

GioGonza
Level 4
Level 4
In response to michaelzhq

‎10-05-2017 01:55 PM

Hello @michaelzhq,

 

Yes, if something happens with Secondary tunnel (let´s say DPDs or idle tomeout), the ASA will drop the VPN tunnel and start all over again with the Primary, in that case it will go back to the Primary if something happens to the Secondary Tunnel. 

 

In the meantime, if everthing is working fine it will remain with the Secondary VPN tunnel.

 

HTH

Gio

 

 

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni

‎10-05-2017 01:46 PM

I think it attempts to switchback to the primary when the SA expires.

0 Helpful

Barrett Cowan
Level 1
Level 1

‎10-02-2023 10:12 AM

To force the tunnel to switch back to the primary use the following command

timeout floating-conn 0:00:30

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents