Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
686
Views
5
Helpful
3
Replies

Cisco ASA VPN S2S Failover

Go to solution
mikiNet
Level 1
Level 1

‎04-19-2022 10:11 AM

Hello Guys,

I writing to you becuase I met very strange problem. But first I describe my topology and my goal.

 

I have two ASA in different localization. Fisrt ASA1 has one WAN link to ISP, second ASA2 has two WAN link to ISP1 and ISP2 (for redundancy purpose)

Topology:

                                                           ------------  1 ISP

ASA1 --------- Site-to-Site ---------                                    ASA2

                                                           ------------  2 ISP

 

Between ASAs I have VPN Site-to-Site and everythink working good. In First ASA1 I have configured crypto map with two public addresses of ASA2 for redundancy:

crypto map outside-map 20 set peer 1.1.1.1 2.2.2.2

 

But problem appear with this scenario:

ASA2 loss connectivity to primary ISP (1.1.1.1), so it switch to backup ISP(2.2.2.2) SLA monitor trigger this action.  ASA1 detect changes and initialize VPN connectivity to second public IP of ASA2 --- 2.2.2.2. And still everythink working good, failover works.

 

Problem appear when ISP1 comes back on ASA2, because ASA1 has still VPN connectivity with ASA2 via backup ISP(2.2.2.2) and ASA2 now sending packet via primary link(1.1.1.1) but VPN session between ASAs is established on ISP2.... 

 

How to trigger Teardown VPN session on old link and set up new connection via primary link ? I want an automated solution, not manual, because when I manually clear crypto isakmp all return to good state. 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎04-19-2022 10:30 AM

@mikiNet so ISP1 is now active again and the default route has changed back to ISP1 but the tunnel is still terminated on ISP2 interface? Perhaps create an EEM script to detect when ISP1 is active again to then automatically clear the SA terminated on ISP2 interface.

0 Helpful

Go to solution
mikiNet
Level 1
Level 1
In response to Rob Ingram

‎04-19-2022 10:33 AM

Exactly! ISP1 is now active again and the default route has changed back to ISP1 but the tunnel is still terminated on ISP2 interface

0 Helpful
Customers Also Viewed These Support Documents