Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
740
Views
0
Helpful
2
Replies

Cisco ASA VPN - Renegotiate?

AnisBhambhani37509
Level 1
Level 1

‎08-18-2020 03:13 AM

Hi,

I'm upgrading Cisco ASA from 9.10(1)30 to 9.10(1)42. Have got multiple site to site VPN tunnels and webvpn setup too on this box. What impact i can expect when the failover happens?

 

Will the site to site VPN try to renegotiate?

Or

can the current VPN session be replicated to the standby peer including IKE negotiations so that there is no renegotiation happening ?

 

Thanks.

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎08-18-2020 05:32 AM

Hi,

I assume you have an ASA Active/Standby HA pair? If so, then yes the ISAKMP and IPSec sessions are replicated to the standby, so no renegotiation. You’d still want to perform the upgrade in a change window though.

 

HTH

0 Helpful

AnisBhambhani37509
Level 1
Level 1
In response to Rob Ingram

‎08-18-2020 05:37 AM

Hi Rob,

 

Thanks, yes I have Active/Standby HA pair setup. I was reading one of the article where it says minor release doesn't impact ongoing VPN but the major release upgrade can force phase 1 and phase 2 to renegotiate - is that correct ?

0 Helpful
Customers Also Viewed These Support Documents