Re: Best Practices for Stabilizing IPSec VPNs During WAN Failover

MD Irshad Ansari · ‎09-30-2025

Hi Cisco Community,

I wanted to start a discussion about a common issue many of us face: IPSec site-to-site VPNs flapping or dropping during WAN failover or ISP changes.

In my experience, there are many factors that can cause the tunnel to go down, such as:

Dead Peer Detection (DPD) / keepalive timers not matching.
NAT traversal (NAT-T) behavior when the public IP changes.
Routing convergence delays between BGP/OSPF and the tunnel.

My questions to the community are:

What are your best practices to keep IPSec VPNs stable during WAN failover?
Do you usually tweak timers (DPD, keepalives) or rely on default values?
Any recommended Cisco design guides or troubleshooting approaches you use regularly?

I think almost every engineer has faced this challenge at some point, so I’d love to hear your real-world insights and lessons learned.

Thanks

Rob Ingram · ‎09-30-2025

@MD Irshad Ansari using a route based VPN (VTI/DVTI) as opposed to a policy based VPN is preferred design nowadays.

Yes, use DPD to detect if the remote peer is down. Use periodic where the firewall will probe even when traffic is active. Or on-demand, probes are sent when traffic is idle (saves bandwidth if that is a concern, but less responsive).

Use a dynamic routing protocol and tweak the timers or use BFD, for faster failover. If you must use static routing, then you would need to use IP SLA and tracking for failover.

If peer's have DHCP WAN addresses, you could set the IKE identity to be email, domain or fqdn as opposed to IP address. Therefore the peer would send the same identity regardless of whether the WAN has a new IP address.

Refer to the Cisco VPN guides for more information - https://www.cisco.com/c/en/us/support/docs/interfaces-modules/virtual-private-network-module/221568-vpn-technologies-documentation-reference.html