cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2734
Views
10
Helpful
7
Replies

ASA 5525X, Active/Active, Site to Site VPN - VPN failover fails

steve pearson
Level 1
Level 1

ASA 5525X, Active/Active, Site to Site VPN - Failover fails

Hi

I have a new pair of 5525X ASA's operating in an Active/Active Multiple Context Mode and everything is working fine, in terms of network traffic flow and failover, however site to site VPN will not function after a failover (Site to Site VPN connection still active, but no traffic increment on the VPN).  A fail back, brings the VPN back up.

Thanks

Steve

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

What version of ASA software are you running? There was a relevant bug in 8.6(1.2) but it should be resolved in 9.x.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtn56517

Do you see any log messages when the VPN is failed and unable to come back up?

Are you able to grab a packet capture or other details when it happens? 

Thank you Marvin.

Apologies, I should have confirmed, IOS is 9.2(2)4

Strangely, no logging is appearing after failing over (so the context logging is not carried over, although you can ASDM to it)

Will have a look at setting up a capture...

2017-04-11 12:28:56    Local4.Error    *.*.*.*    %ASA-3-336013: Route <016>, 951597600 successors, 2 rdbs
2017-04-11 12:28:56    Local4.Error    *.*.*.*    %ASA-3-336013: Route <016>, 951597600 successors, 2 rdbs


2017-04-11 12:27:16    Local4.Debug    *.*.*.*    %ASA-7-751003: Local:*.*.*.*:500 Remote:*.*.*.*:500 Username:*.*.*.* IKEv2 Need to send a DPD message to peer
2017-04-11 12:27:16    Local4.Debug    *.*.*.*    %ASA-7-751003: Local:*.*.*.*:500 Remote:*.*.*.*:500 Username:*.*.*.* IKEv2 Need to send a DPD message to peer
2017-04-11 12:27:16    Local4.Debug    *.*.*.*    %ASA-7-751003: Local:*.*.*.*:500 Remote:*.*.*.*:500 Username:*.*.*.* IKEv2 Need to send a DPD message to peer
2017-04-11 12:27:16    Local4.Debug    *.*.*.*    %ASA-7-713906: IKE Receiver: Packet received on *.*.*.*:500 from *.*.*.*:500
2017-04-11 12:27:16    Local4.Debug    *.*.*.*    %ASA-7-720041: (VPN-Secondary) Sending Sync IKEV2 Parent Msg ID message (IKEv2 Msg ID 75) to standby unit


2017-04-11 12:27:16    Local4.Info    *.*.*.*    %ASA-6-302021: Teardown ICMP connection for faddr *.*.254.153/0 gaddr *.*.*.*/130 laddr *.*.*.*/130
2017-04-11 12:27:16    Local4.Debug    *.*.*.*    %ASA-7-751003: Local:*.*.*.*:500 Remote:*.*.*.*:500 Username:*.*.*.* IKEv2 Need to send a DPD message to peer
2017-04-11 12:27:16    Local4.Debug    *.*.*.*    %ASA-7-751003: Local:*.*.*.*:500 Remote:*.*.*.*:500 Username:*.*.*.* IKEv2 Need to send a DPD message to peer
2017-04-11 12:27:16    Local4.Debug    *.*.*.*    %ASA-7-751003: Local:*.*.*.*:500 Remote:*.*.*.*:500 Username:*.*.*.* IKEv2 Need to send a DPD message to peer
2017-04-11 12:27:16    Local4.Debug    *.*.*.*    %ASA-7-713906: IKE Receiver: Packet received on *.*.*.*:500 from *.*.*.*:500
2017-04-11 12:27:16    Local4.Debug    *.*.*.*    %ASA-7-720041: (VPN-Secondary) Sending Sync IKEV2 Parent Msg ID message (IKEv2 Msg ID 75) to standby unit

I am actually receiving the following log messages on the standby firewall, admin context:

720012 (VPN-Secondary) Failed to update IPSec failover runtime data on the standby unit

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html#errcosmet

There was a similar bug, which was fixed before v9.

If I clear the VPN down while active on the standby ASA, the VPN still does not initiate. 

Yes - that was the bug I had noted earlier.

I would recommend opening a TAC case to see if they possibly have a non-public-facing bugID that covers what you are seeing. It's not unheard of for an old bug to resurface.

Good call, thanks Marvin!

Sorry, I am bombarding you!!

OK, so now I have cleared (logout) the VPN on both the active and standby ASA's (within the context) and the VPN has now come up by itself and is incrementing (viewing on the standby ASA where the context is active)..... so looking OK so far....