11-12-2012 07:35 AM
I restored the HA pair back to Active/Standby.
1 remaining issue.
I have 3 IPsec Site-to_SIte tunnels.
I noticed that when the NEW UNIT becomes ACTIVE that I am unble to pass traffic over the VPN tunnels.
When I failback I am able to pass traffic.
Any ideas?
Thanks...
11-12-2012 06:14 PM
Can you pls check if the configuration gets synchronized to the new Unit, as well as you also have stateful failover configured?
11-13-2012 08:19 AM
11-12-2012 06:35 PM
Are those VPN tunnels perchance certificate-based? If so, you need to copy the certificates onto the replaced unit.
(Disk operations such as copying certificate files are not included in a configuration synchronization process.)
11-13-2012 08:21 AM
They are not certificate-based!
11-13-2012 08:38 AM
Tom,
Can you say exactly what is happening on the new active box?
show crypto isakmp sa/show crypto ipsec sa
to see what exaclty is happening with the tunnels. It seems like a IPSEC replication issue.
Are versions on both boxes the same?
11-13-2012 09:04 AM
11-14-2012 12:12 AM
As I understand this output is from primary standby-ready or when it is active?
When you are intiating traffic are the counters in show crypto ipsec sa increasing?
The best would be to do some online debugging for it. If possible I would suggest to create TAC case for that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide