We have cisco IOS Routers at customer end sites and a ASA in our datacenter. our ASA is using an external IP address which we advertise out two seperate ISP's (A-Primary, B-Secondary). When we test failover we are finding that the ezVPN's cannot reconnect and it keeps failing with "received packet with no matching SA, dropping"
I have logged this with our ISP (B) which manages the connection that is causing this issue but they are advising that there is no filtering or blocking they do on our internet link.
Things to note are
- When we are only advertising out ISP (B) new connections do not work
- However, we have an ADSL connection which is delivered by ISP (B) and that is the only one that works. All other ADSL sites from other ISP do not work.
- If I test with a Cisco VPN Client installed on a PC it works fine.
- If I fail back and advertise out our primary ISP (A), new connections work again.
- NB:During the changing of the BGP advertisements it does not break currently connected VPN's only new VPN Connections.
- Our ISP (A) and ISP (B) connections terminate on the same router which is then connected to the ASA.