10-05-2017 10:31 AM - edited 03-12-2019 04:36 AM
We are trying to figure out a backup VPN solution based on Cisco ASA.
The solution must meet the following requirements:
- A single home Internet connection on ASA5506
- ASA5506 automatically connects to the ASA at Site A as a primary VPN tunnel
- If the Site A ASA is down, ASA5506 automatically fails over to the ASA at Site B as a secondary VPN tunnel, and automatically switch back to Site A when appropriate (not during active use)
- The switch over must be seamless
The fail-over is straightforward but how the switchback works as per the requirements?
Thanks for your helps!
Michael
10-05-2017 11:56 AM
Hello @michaelzhq,
Unfortunately, when you have VPN failover and you are using the secondary tunnel, the ASA will not switchback to the primary if the primary comes available, one way to switchback is secondary VPN fails and start the VPN tunnel all over again or apply an EEM and perform the switchback automatically but this option will delete the secondary VPN in order to get the Primary working.
This is the link for reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html.
HTH
Gio
10-05-2017 01:45 PM
Thank you Gio., this is very good and useful info.
Just another question here. Without using EEM, if the 2nd VPN tunnel is disconneted due to idle timeout (no traffic for a certain time period), will ASA automatically establish 1st VPN tunnel for new traffic?
10-05-2017 01:55 PM
Hello @michaelzhq,
Yes, if something happens with Secondary tunnel (let´s say DPDs or idle tomeout), the ASA will drop the VPN tunnel and start all over again with the Primary, in that case it will go back to the Primary if something happens to the Secondary Tunnel.
In the meantime, if everthing is working fine it will remain with the Secondary VPN tunnel.
HTH
Gio
10-05-2017 01:46 PM
I think it attempts to switchback to the primary when the SA expires.
10-02-2023 10:12 AM
To force the tunnel to switch back to the primary use the following command
timeout floating-conn 0:00:30
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide