cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
421
Views
5
Helpful
3
Replies
Highlighted
Beginner

ASA Site-to-Site VPN stops passing traffic after Power Outage

We have 2 sites connected via ASA Site-to-Site IKEv2 VPN connections. One site will lose power and after power is restored the tunnel will not pass traffic until that sites ASA is completely rebooted. The ASA itself does not loser power or shut off ,its just the ISP modem that loses power so the internet goes down. Once the power returns and ISP modem is powered back on the tunnel will not pass traffic until I reboot the ASA at the offending site. Is there any setting we can change on the ASA that will allow the runnel to continue passing traffic even though the internet goes out? The ASA in question is running ASA version 9.6.1.

 

Thanks

Everyone's tags (3)
3 REPLIES 3
Highlighted
VIP Advisor

Re: ASA Site-to-Sire VPN stops passing traffic after Power Outage

Hi,
I imagine the ASA still has an active Security Association (SA), rebooting it clears the SA allowing the tunnel to be re-established. If you configured DPD/keepalive under the tunnel-group on both ASAs, this will detect when the tunnel is down and clear the SAs, allowing the tunnel to be re-established once internet connectivity has been restored.

You cannot continue passing traffic if the internet goes out.

HTH
Highlighted
Beginner

Re: ASA Site-to-Sire VPN stops passing traffic after Power Outage

Hello,

 

I recreated the scenario and the offending ASA has following errors:

 

IKEv2 was unsuccessful at setting up a tunnel 

Tunnel manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel

 

 

So I am assuming you are correct. So just configured the DPD on each group and it will automatically clear when this happens? No other config is needed? Also what is the recommenced DPD time?

 

 

Thanks

Highlighted
VIP Advisor

Re: ASA Site-to-Sire VPN stops passing traffic after Power Outage

Hi,

10 seconds keepalive threshold, with a retry of 2 or 3 is acceptable.

HTH