The ASA tries to establish a Phase 2 tunnel on an interface, and a Pha

abdulaziz.doro · ‎02-23-2022

I have Two interfaces for Internet Active/Backup the main has metric 1 with SLA

and backup has 254 metrics when the latency in the network reach above 500Ms

the VPN connection is down and this log appears :

___________________________________________________________

ASA-3-713258: IP = var1, Attempting to establish a phase2 tunnel on var2 interface but phase1 tunnel is on var3 interface. Tearing down old phase1 tunnel due to a potential routing change.

The ASA tries to establish a Phase 2 tunnel on an interface, and a Phase 1 tunnel already exists on a different interface. The existing Phase 1 tunnel is torn down to allow the establishment of a new tunnel on the new interface.

• var1—The IP address of the peer

• var2—The interface on which the ASA is trying to establish a Phase 2 tunnel

• var3—The interface on which the Phase 1 tunnel exists

______________________________________________________________

If anyone faced this issue before, please help me with this error

MHM Cisco World · ‎02-23-2022

Hi friend again
just check this solution
ASA1-ASA2
ASA2 config the IPSec with only one Peer this make ASA2 establish phase 1 toward ASA1 WAN1 ip address, if the ASA1 failed and shift to WAN2 then the ASA1 don't care to establish new Phase 1.
so ASA2 can solve the issue with config two Peer same Crypto Map and config the keep alive,
if the ASA2 detect failed for ASA1 WAN1 then it will shift to ASA1 WAN2.

https://integratingit.wordpress.com/2020/05/21/asa-multi-peer-vpn/

this for IKEv2 but it same for IKEv1.

note:-please can you explain the solution for ASA dual WAN "from your previous post".