Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1171
Views
0
Helpful
4
Replies

Backup Peer clarification

saxenanitesh8522
Level 4
Level 4

‎05-18-2016 09:30 AM

hi,

When we have backup peer configuration

crypto map mymap 10 set peer X.X.X.X Y.Y.Y.Y

now if my x.x.x.x goes down the s2s vpn will be formed on y.y.y.y.

if x.x.x.x comes back up will the tunnel flip or wait until y.y.y.y goes down to try again x.x.x.x?

trying to understand the failover mechanism of it.

Labels:
0 Helpful
4 Replies 4

abdalsamuel
Level 1
Level 1

‎05-18-2016 12:03 PM

Hello Nitesh,

   The link http://www.cisco.com/c/en/us/td/docs/ios/sec_secure_connectivity/configuration/guide/convert/sec_vpn_availability_15_1_book/sec_ipsec_pref_peer.pdf you have configuration examples. You can add the lowest lifetime to re-connect using the primary peer.

0 Helpful

saxenanitesh8522
Level 4
Level 4
In response to abdalsamuel

‎05-18-2016 09:30 PM

Hi,

i have a active S2S vpn tunnel which is working fine. Now active S2S is down, then with my second peer  will take over.

As per my understanding, for this we need to configure DPD to make sure it detects dead peer as a faster transition to backup peer.

After reading both articles it works in circle so i doubt is only if DPD is required to configure and lifetime or any parameters to change for backup peer to come up faster then,

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to saxenanitesh8522

‎05-18-2016 09:38 PM

Hi Nitesh,

Yes you are correct.

Here is a link for the same:

https://supportforums.cisco.com/discussion/12242671/site-site-vpn-dpd-detection

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎05-18-2016 05:28 PM

Hi Nitesh,

If the tunnel fails to negotiate Isakmp phase 1 with the peimary ip then it will try to negotiate with the backup peer.


After the tunnel is negotiated with the backup peer, incase primary peer comes up then it won't get renegotiated with the primary peer. It will only renegotiate if we turn down the tunnel manually or the phase 1 is rekeyed.


Please refer to the following links for greater clarity :-

1. Crypto map set peer command reference - http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c6.html#pgfId-2478203<http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c6.html%23pgfId-2478203>

2. Providing site to site redundancy - http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_ike.html#pgfId-1121157<http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_ike.html%23pgfId-1121157>

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful
Customers Also Viewed These Support Documents