Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3032
Views
10
Helpful
7
Replies

ASA 5525X, Active/Active, Site to Site VPN - VPN failover fails

steve pearson
Level 1
Level 1

‎04-11-2017 02:07 AM

ASA 5525X, Active/Active, Site to Site VPN - Failover fails

Hi

I have a new pair of 5525X ASA's operating in an Active/Active Multiple Context Mode and everything is working fine, in terms of network traffic flow and failover, however site to site VPN will not function after a failover (Site to Site VPN connection still active, but no traffic increment on the VPN).  A fail back, brings the VPN back up.

Thanks

Steve

Labels:
0 Helpful
7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-11-2017 03:49 AM

What version of ASA software are you running? There was a relevant bug in 8.6(1.2) but it should be resolved in 9.x.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtn56517

Do you see any log messages when the VPN is failed and unable to come back up?

Are you able to grab a packet capture or other details when it happens? 

0 Helpful

steve pearson
Level 1
Level 1
In response to Marvin Rhoads

‎04-11-2017 04:07 AM

Thank you Marvin.

Apologies, I should have confirmed, IOS is 9.2(2)4

Strangely, no logging is appearing after failing over (so the context logging is not carried over, although you can ASDM to it)

Will have a look at setting up a capture...

0 Helpful

steve pearson
Level 1
Level 1
In response to Marvin Rhoads

‎04-11-2017 04:37 AM

2017-04-11 12:28:56    Local4.Error    *.*.*.*    %ASA-3-336013: Route <016>, 951597600 successors, 2 rdbs
2017-04-11 12:28:56    Local4.Error    *.*.*.*    %ASA-3-336013: Route <016>, 951597600 successors, 2 rdbs


2017-04-11 12:27:16    Local4.Debug    *.*.*.*    %ASA-7-751003: Local:*.*.*.*:500 Remote:*.*.*.*:500 Username:*.*.*.* IKEv2 Need to send a DPD message to peer
2017-04-11 12:27:16    Local4.Debug    *.*.*.*    %ASA-7-751003: Local:*.*.*.*:500 Remote:*.*.*.*:500 Username:*.*.*.* IKEv2 Need to send a DPD message to peer
2017-04-11 12:27:16    Local4.Debug    *.*.*.*    %ASA-7-751003: Local:*.*.*.*:500 Remote:*.*.*.*:500 Username:*.*.*.* IKEv2 Need to send a DPD message to peer
2017-04-11 12:27:16    Local4.Debug    *.*.*.*    %ASA-7-713906: IKE Receiver: Packet received on *.*.*.*:500 from *.*.*.*:500
2017-04-11 12:27:16    Local4.Debug    *.*.*.*    %ASA-7-720041: (VPN-Secondary) Sending Sync IKEV2 Parent Msg ID message (IKEv2 Msg ID 75) to standby unit


2017-04-11 12:27:16    Local4.Info    *.*.*.*    %ASA-6-302021: Teardown ICMP connection for faddr *.*.254.153/0 gaddr *.*.*.*/130 laddr *.*.*.*/130
2017-04-11 12:27:16    Local4.Debug    *.*.*.*    %ASA-7-751003: Local:*.*.*.*:500 Remote:*.*.*.*:500 Username:*.*.*.* IKEv2 Need to send a DPD message to peer
2017-04-11 12:27:16    Local4.Debug    *.*.*.*    %ASA-7-751003: Local:*.*.*.*:500 Remote:*.*.*.*:500 Username:*.*.*.* IKEv2 Need to send a DPD message to peer
2017-04-11 12:27:16    Local4.Debug    *.*.*.*    %ASA-7-751003: Local:*.*.*.*:500 Remote:*.*.*.*:500 Username:*.*.*.* IKEv2 Need to send a DPD message to peer
2017-04-11 12:27:16    Local4.Debug    *.*.*.*    %ASA-7-713906: IKE Receiver: Packet received on *.*.*.*:500 from *.*.*.*:500
2017-04-11 12:27:16    Local4.Debug    *.*.*.*    %ASA-7-720041: (VPN-Secondary) Sending Sync IKEV2 Parent Msg ID message (IKEv2 Msg ID 75) to standby unit

steve pearson
Level 1
Level 1
In response to Marvin Rhoads

‎04-11-2017 04:46 AM

I am actually receiving the following log messages on the standby firewall, admin context:

720012 (VPN-Secondary) Failed to update IPSec failover runtime data on the standby unit

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html#errcosmet

There was a similar bug, which was fixed before v9.

If I clear the VPN down while active on the standby ASA, the VPN still does not initiate. 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to steve pearson

‎04-11-2017 04:48 AM

Yes - that was the bug I had noted earlier.

I would recommend opening a TAC case to see if they possibly have a non-public-facing bugID that covers what you are seeing. It's not unheard of for an old bug to resurface.

0 Helpful

steve pearson
Level 1
Level 1
In response to Marvin Rhoads

‎04-11-2017 04:51 AM

Good call, thanks Marvin!

0 Helpful

steve pearson
Level 1
Level 1
In response to steve pearson

‎04-11-2017 04:49 AM

Sorry, I am bombarding you!!

OK, so now I have cleared (logout) the VPN on both the active and standby ASA's (within the context) and the VPN has now come up by itself and is incrementing (viewing on the standby ASA where the context is active)..... so looking OK so far....

Customers Also Viewed These Support Documents