Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1768
Views
0
Helpful
5
Replies

ASA IKEv2 Site to Site with Multiple Peers

mumbles202
Level 5
Level 5

‎06-06-2022 10:40 AM

I'm setting up a site to site vpn between 2 5516s, both running 9.14.  Each of the 2 sites has 2 ISPs and each is configured to have both of the far end ip addresses as peers in the vpn configuration and has a matching tunnel-group for each of the ISPs.  If site A has a vpn up to site B over that sites main ISP and the primary ISP at site B goes down, it takes about 5 minutes in order for the vpn to establish and start passing traffic over the backup ISP.  Internet access is immediate(I can ssh to the ASA w/o any issues), but the vpn takes some time to re-establish.  As the dns server is across that vpn it causes an issue as computers are eventually down until they can re-establish connection back to the dns server.  Once the tunnel comes up all works as expected.  

 

If I recall correctly this was never an issue before when the site to site tunnel was using IKEv1.  I'll test failover of Site A ISPs later today but wanted to see if there might be something I'm missing that would account for this.  

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎06-06-2022 10:47 AM - edited ‎06-06-2022 10:51 AM

@mumbles202 do you have Dead Peer Detection (DPD) keepalives configured? this will detect stale IPSec SAs.

You might want to look at running VTI's and a routing protocol over the tunnel, it will detect failure quicker.

0 Helpful

mumbles202
Level 5
Level 5
In response to Rob Ingram

‎06-06-2022 11:07 AM

Yes, on each of the tunnel-groups I have this configured:


isakmp keepalive threshold 10 retry 2

0 Helpful

mumbles202
Level 5
Level 5
In response to MHM Cisco World

‎06-07-2022 06:32 AM

Thanks for the link. That should accomplish the connectivity, though it seems to be limiting on first read.  For example, if ISPB at 1 site is down at the same time as ISPA at the other, there seems to be no way to establish a tunnel since it's ISPA-ISPA and ISPB-ISPB.  The setup I was going for was that the either ASA can establish a vpn tunnel to each of the other sides ISPs just in case of an odd outage issue like described above.  Using IKEv1 this wasn't an issue and the failover happened fairly quickly after the track went down on either ASA.  

0 Helpful

MHM Cisco World
VIP
VIP
In response to mumbles202

‎06-07-2022 12:11 PM

hard to answer why IKEv1 is failover but IKEv2 is not.

0 Helpful
Customers Also Viewed These Support Documents