Concentrator and firewall headends often support fail-over capabilities in an active/standby configuration. When the primary fails, the secondary unit assumes the IP and Media-Access-Control (MAC) address of the primary, and the tunnel reestablishment commences. Routers function in an active/active configuration. Both headend devices will allow tunnel establishment. You might consider using IKE keepalives in the headend for heterogeneous remote-site device support. There is no IETF standard for keepalives today, only proposals, and thus this mechanism will work only with products from a single vendor. If a momentary loss of connectivity occurs at a remote site, it may establish a new tunnel with the secondary (but always active) headend device. Because tunnel establishment does not affect the routing table unless routing protocols are running over the tunnel, the routing state in the headend will not change. When the tunnel switches between the headends because of the remote-site flapping, the next-hop router will not be able to determine which active headend device has a valid path to the remote site. Flapping occurs when the remote site temporarily loses WAN connectivity. In order to avoid this issue consider using HSRP and reverse-route-injection (RRI). RRI works by modify the routing table on the device to reflect tunnel SA status.