Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
710
Views
0
Helpful
2
Replies

L2L VPN SA is not renegotiating with backup isp in ASA

krishna_gondi
Level 1
Level 1

‎12-08-2009 03:30 AM

Hellos,

I have ASA5520 and I have configured two ISP on failover mode if primary ISP goes down backup ISP is takes over and internet works fine, but Site to Site IPSec VPN SAs remains on primary ISP, it is not renegotiating with backup IP untill i clear the cry ipsec sa.

can someone please help me out..???

Parvendra

Labels:
0 Helpful
2 Replies 2

busterswt
Level 1
Level 1

‎12-11-2009 08:37 PM

Do you have DPD Keepalives enabled? If so, and the keepalives fail, the SA's will be cleared by the ASA and the (reachable) backup peer IP would likely be used when the tunnel rebuilds.

0 Helpful

krishna_gondi
Level 1
Level 1
In response to busterswt

‎12-14-2009 01:16 AM

Hi James ,

Thanks for the reply...i have configured the"isakmp keepalive threshold 10 retry 3" on my ASA5520 but still not success, i have seen error on syslog, attaching below and i think the problem is on other side,either Checkpoint does not support keepalive or they haven't  configured keepalive.

Dec 14 2009 14:08:23: %ASA-3-713119: Group = 11.22.33.44, IP = 11.22.33.44, PHASE 1 COMPLETED
Dec 14 2009 14:08:23: %ASA-3-713122: IP = 11.22.33.44, Keep-alives configured on but peer does not support keep-alives (type = None)

Please suggest.

THanks

0 Helpful
Customers Also Viewed These Support Documents