Solved: Re: Problem with VPN L2L and RA in a failover configuration

Fernando Patzlaff · ‎06-11-2010

I'm using two ASA 5540 in active-standby failover configuration. These boxes (primary and secondary) are used to establish some L2L and RA (Remote Access) VPN. The active box run OSPF process.

The problem is when failover occurs (just shuting down the active box, or running 'failover active' in a secondary box) all L2L don't be reestablished in a secondary box. The unique way that I can do this (reestablish the connection) is removing the RRI (Reverse Route Injection) configuration (eg. 'no crypto map rprbbe_map 3 set reverse-route') and putting the rri configuration ( 'crypto map rprbbe_map 3 set reverse-route'). After do this the connection is reestablished.

In RA clients the session persists, on a failover event, but the client lost the access. To solve this, the client need to disconnect and reconnect.

Someone have experience with this kind of VPN (L2L and RA) configuration using failover?

Marcin Latosiewicz · ‎06-12-2010

Behavior looks buggy.

What version are you running?

View solution in original post

Marcin Latosiewicz · ‎06-14-2010

A lot of guess work but there are two potential bugs:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtd74691

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtf68934

I would check if you see rerr or txerr increasing in "show failover" on any of the firewall.

I'd check "fsck" on both units and try doing "write standby" on active afterwards.

Short of that ... either upgrad to 8.3.2 when it's out (august?) or downgrade to 8.2 and test again. Or open a TAC case.

View solution in original post

Marcin Latosiewicz · ‎06-12-2010

Behavior looks buggy.

What version are you running?

Fernando Patzlaff · ‎06-14-2010

Version 8.3(1)

Marcin Latosiewicz · ‎06-14-2010

A lot of guess work but there are two potential bugs:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtd74691

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtf68934

I would check if you see rerr or txerr increasing in "show failover" on any of the firewall.

I'd check "fsck" on both units and try doing "write standby" on active afterwards.

Short of that ... either upgrad to 8.3.2 when it's out (august?) or downgrade to 8.2 and test again. Or open a TAC case.

Fernando Patzlaff · ‎06-24-2010

I've opened a TAC for this issue.

I'm waiting the solution.

Marcin Latosiewicz · ‎06-24-2010

Can you share the case number with me?

Fernando Patzlaff · ‎06-24-2010

The case number is: SR 614675535.

Fernando Patzlaff · ‎06-29-2010

This issue is a new bug identified with ID CSCth58083.

Marcin Latosiewicz · ‎06-29-2010

Awesome!

I've added this one to my interest list.

Marcin

Fernando Patzlaff · ‎08-20-2010

This week I received a solution for my problem from TAC!

After some upgrades of version, now I'm running on asa831-6-k8 (develop version), my connections was passed from one box (primary unit) to another box (standby unit), after a failover, but the proplem with RRI happens.

The solution of my case was insert a static default route with a high metric than OSPF. Why? According with Cisco Engineer, the standby unit needs this to reach the connections that already been established (L2L and RA) and after the OSPF process is running on the standby unit, after a failover, the static routes of L2L and RA may be inserted on OSPF routes.