08-21-2012 09:21 AM
I have a primary and backup asa5510. The primary has numerous site ipsec vpn's configured with different isr's, the backup also has the same site vpn's configured. Each isr has a backup peer to the backup asa configured. Both primary and backup peers are establishing at times and at other times it fails over completely to backup when primary is active. Have tried answer only at backup asa and this has no effect
The configuration at the isr is as below:
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to1.1.1.1
set peer 1.1.1.1
set peer 2.2.2.2
set transform-set ESP-3DES-SHA
match address 101
08-21-2012 10:32 AM
When using the ASA as a VPN appliance it is designed to operate only in Active-Standby High Availability (HA) mode. Peers should have VPN configured to only the Active outside IP address.
In the event of a failover, the former Standby unit (now Active) is designed to take over the IP address and continue servicing the VPN tunnels.
08-21-2012 02:14 PM
I understand your scenario that you are not running your ASAs in a failover-mode but completely independent on different providers. Is that right?
That can make problems as the router sends traffic into that VPN from that the router has seen traffic the last time. If that changes for some reasons from ASA1 to ASA2 or vice versa, then the state-check from the ASA can drop that traffic.
I would say you are using the wrong tool for the right job.
If you have the option that you should terminate these S2S-tunnels on an IOS-router. That way you dont't have the firewalling and you can easily use routing-protocols to detect VPN-failures.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-24-2012 08:23 AM
this was the default switch on the primary peer statement. Thanks anyway
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide