Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
533
Views
4
Helpful
9
Replies

ASA S2S VPN Secondery failover issue

Mohammed.Fawzi
Level 1
Level 1

‎10-26-2023 08:38 AM

Hi everyone

i have an issue of automatic failover of vpn s2s .

i have a client has 2 peers one primary and the other is backup , if the first fails and second takes its place instead.

my senario is when the primary fails , the secondry stays at (UP-IDLE) state , until i delete the primary peer from the crypto map then the second per goes up.

crypto map outside 40 match address test
crypto map outside 40 set pfs group20
crypto map outside 40 set peer 1.1.1.1 2.2.2.2
crypto map outside 40 set ikev2 ipsec-proposal test
crypto map outside 40 set security-association lifetime seconds 3600

 

Labels:
0 Helpful
9 Replies 9

Rob Ingram
VIP
VIP

‎10-26-2023 08:45 AM - edited ‎10-26-2023 08:48 AM

@Mohammed.Fawzi you need to ensure Dead Peer Detection (DPD) keepalives are configured, which will clear down the dead tunnel. DPD is enabled as default however, check it is still enabled. https://community.cisco.com/t5/security-knowledge-base/dead-peer-detection/ta-p/3111324

 

Mohammed.Fawzi
Level 1
Level 1
In response to Rob Ingram

‎10-27-2023 11:08 AM

hi

it should be on default which is : isakmp keepalive threshold 10 retry 2

and i made sure its on

0 Helpful

gajownik
Cisco Employee
Cisco Employee

‎10-28-2023 12:56 AM

What exactly do you mean by "primary fails"? For a failover to the backup peer primary peer must not respond to five IKE_SA_INIT messages in a row.

Additionally IKEv2 Peer Traversal is not supported on the Responder side of an IKEv2 multi-peer topology.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration/vpn/asa-914-vpn-config/vpn-ike.html#Cisco_Concept.dita_3ab5a033-060a-4968-9b93-c9278934b3f8
https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-asa/220638-understand-ikev2-crypto-map-backup-peers.html

I would suggest running a capture and debugs:

debug menu ikev2 3 1 //it will enable timestamps in the debugs
debug crypto condition peer 1.1.1.1
debug crypto ike-common 127
debug crypto ikev2 platform 255
debug crypto ikev2 protocol 255
debug crypto ipsec 255

undebug all

debug crypto condition peer 2.2.2.2
debug crypto ike-common 127
debug crypto ikev2 platform 255
debug crypto ikev2 protocol 255
debug crypto ipsec 255

If first peer responds to IKE_SA_INIT then failover will never happen.
If the second peer tries to initiate a traffic while first peer is not marked as dead then ASA/FTD will drop that request as peer traversal is not supported.

Mohammed.Fawzi
Level 1
Level 1
In response to gajownik

‎10-28-2023 01:41 AM

Hi

what i mean is when the primary peer is down , the second peer still stays at IDLE_UP state, what it should happen it should change to the second peer automatically, but it's not.

 

0 Helpful

Mohammed.Fawzi
Level 1
Level 1
In response to gajownik

‎10-28-2023 01:53 AM

here is my configuration.

route outside 1.1.1.1 255.255.255.255 5.5.5.5 1

route outside 2.2.2.2 255.255.255.255 5.5.5.5 1

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
isakmp keepalive threshold 10 retry 5
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
isakmp keepalive threshold 10 retry 5
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

crypto map outside 40 match address test_VPN
crypto map outside 40 set pfs group20
crypto map outside 40 set peer 1.1.1.1 2.2.2.2
crypto map outside 40 set ikev2 ipsec-proposal v2
crypto map outside 40 set security-association lifetime seconds 3600

crypto ipsec ikev2 ipsec-proposal v2
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto ikev2 policy 30
encryption aes-gcm-256
integrity null
group 20
prf sha256
lifetime seconds 86400

 

0 Helpful

gajownik
Cisco Employee
Cisco Employee

‎10-28-2023 02:05 AM

Being down is vague and might mean multiple things to different people, for example traffic not passing by, IKE session failing to build at some stage or peer completely not responding. As said above failover will happen only when peer fails to reply to IKE_SA_INIT and IKE SA is down.

Checking configuration will not help here, you will need to verify capture, debugs and check if the IKE SA to the primary peer is down (show crypto ikev2 sa detail)

Mohammed.Fawzi
Level 1
Level 1
In response to gajownik

‎10-28-2023 03:32 AM

i have checked that command : show crypto ikev2 sa de , and the primary peer completly dispeared only the backup peer with state IDLE_UP

this senario is true production , we made this senario with client and they asked for a check if the first peer down will the second takes its place or not , so the client downed from his fortigate FW the primary peer and then as i told you the first dispeared and the second on idle_up 

 

0 Helpful

Rob Ingram
VIP
VIP
In response to Mohammed.Fawzi

‎10-29-2023 01:20 AM

@Mohammed.Fawzi when the primary peer is down run "show crypto IPsec sa" do you have IPSec SA for the secondary peer? Are the encap/decap counters increasing or not?

Mohammed.Fawzi
Level 1
Level 1
In response to Rob Ingram

‎10-29-2023 05:35 AM

yes i have IPsec SA for the secondry peer, but no caps, it stays at IDLE_UP state

until i delete the primary peer from the crypto map, then the secondary immediately goes up

0 Helpful
Customers Also Viewed These Support Documents