Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
522
Views
0
Helpful
2
Replies

ASA Easy VPN failover issue

edisonbbs
Level 1
Level 1

‎02-01-2011 10:55 AM

Hi guys,

In our company, we got two 5510 and some 5505 firewalls.

now, I want to use EASY VPN. All of 5505 will be used by sites and branch offices. Two 5510 are our two headend.

I setup 5505 connect with two 5510 by easy VPN. one 5510 is primary server, another one is secondary. Now, once the primary server down, 5505 can switch to secondary 5510 automatically.

However, if the primary back to online. 5505 can not switch back to primary server automatically.

Is anyone know that how to fix it?

Thanks a lot

Labels:
0 Helpful
2 Replies 2

hdashnau
Cisco Employee
Cisco Employee

‎02-01-2011 11:17 AM

You will need to manually clear the tunnel for it to switch back over to the first ASA. The tunnel will not automatically failback over to the first ASA unless the second ASA also goes down.

-heather

0 Helpful

edisonbbs
Level 1
Level 1
In response to hdashnau

‎02-01-2011 11:29 AM

Thanks, right now, I did some testing.

The only way can do that is:

I setup the maximum connect time = 2 mins. in IPsec GroupPolicy at secondary 5510.

Which means every two mins, all EASY VPN has to re-connection to secondary server.

Then, once the primary server up, all 5505 will connect to 5510 primary within 2 mins.

Is it a way? I am worry about that, during primary 5510 outage, the secondary firewall will got a lot of VPN re-connection.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents