Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1274
Views
5
Helpful
3
Replies

ASA Site-to-Site VPN stops passing traffic after Power Outage

eimotechit
Level 1
Level 1

‎05-23-2019 06:40 AM - edited ‎05-23-2019 07:24 AM

We have 2 sites connected via ASA Site-to-Site IKEv2 VPN connections. One site will lose power and after power is restored the tunnel will not pass traffic until that sites ASA is completely rebooted. The ASA itself does not loser power or shut off ,its just the ISP modem that loses power so the internet goes down. Once the power returns and ISP modem is powered back on the tunnel will not pass traffic until I reboot the ASA at the offending site. Is there any setting we can change on the ASA that will allow the runnel to continue passing traffic even though the internet goes out? The ASA in question is running ASA version 9.6.1.

 

Thanks

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎05-23-2019 07:04 AM

Hi,
I imagine the ASA still has an active Security Association (SA), rebooting it clears the SA allowing the tunnel to be re-established. If you configured DPD/keepalive under the tunnel-group on both ASAs, this will detect when the tunnel is down and clear the SAs, allowing the tunnel to be re-established once internet connectivity has been restored.

You cannot continue passing traffic if the internet goes out.

HTH

eimotechit
Level 1
Level 1
In response to Rob Ingram

‎05-23-2019 12:12 PM - edited ‎05-23-2019 12:12 PM

Hello,

 

I recreated the scenario and the offending ASA has following errors:

 

IKEv2 was unsuccessful at setting up a tunnel 

Tunnel manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel

 

 

So I am assuming you are correct. So just configured the DPD on each group and it will automatically clear when this happens? No other config is needed? Also what is the recommenced DPD time?

 

 

Thanks

0 Helpful

Rob Ingram
VIP
VIP
In response to eimotechit

‎05-23-2019 12:39 PM

Hi,

10 seconds keepalive threshold, with a retry of 2 or 3 is acceptable.

HTH
0 Helpful
Customers Also Viewed These Support Documents