Showing results for 
Search instead for 
Did you mean: 
HDBank Network

VPN to remote site that have 2 failover link

Dear support team,

I'm using a 1861 Router with C1861-ADVENTERPRISEK9-M IOS version to connect VPN site-to-site with DC site that have 2 VPN link for redundancy. The router can connect successfully if using crypto map with each public IP of DC site. My problem is when I add 1 more peer in crypto map and shutdown the running peer on DC site, connection between 2 site is failed while show crypto session of new peer is showing UP-ACTIVE.

Here's log show crypto session detail of new peer:

Interface: Dialer1

Uptime: 00:00:54

Session status: UP-ACTIVE    

Peer: y.y.y.y port 500 fvrf: (none) ivrf: (none)


      Desc: (none)

  IKE SA: local z.z.z.z/500 remote y.y.y.y/500 Active

          Capabilities:(none) connid:2003 lifetime:00:04:05

  IPSEC FLOW: permit ip

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 1869 drop 0 life (KB/Sec) 4408194/245

        Outbound: #pkts enc'ed 3536 drop 158 life (KB/Sec) 4408171/245

  IPSEC FLOW: permit ip

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 4487324/272

        Outbound: #pkts enc'ed 36 drop 46 life (KB/Sec) 4487320/272

Here's configuration:

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

lifetime 300

crypto isakmp key vpnkey address x.x.x.x

crypto isakmp key vpnkey address y.y.y.y



crypto ipsec transform-set vpn esp-aes esp-sha-hmac


crypto map test 100 ipsec-isakmp

set peer x.x.x.x

set peer y.y.y.y

set security-association lifetime seconds 300

set transform-set vpn

match address vpn


interface Dialer1

ip address negotiated

ip mtu 1492

ip virtual-reassembly

encapsulation ppp

dialer pool 1

ppp authentication pap callin

ppp pap sent-username  password

crypto map test

Could you please help me find solution for this problem. Thank you so much.


check your routes.



Thank Jawad.

My VPN topology is used for centralized Internet connection. Here's routing configuration:

ip route Dialer1

I've just find an strange thing. After a long time (I think it takes more 1 hour) of failed connection for new peer, it turned successfully connection for that new peer. I had waited for about 1 hour before 2 days ago with continuous ping. I configured IKE renegotiation and SA lifetime are 5 minutes.



Try this.

1. Modify the configuration of crypto map, use the "default" option for the primary link in DC.

crypto map test 100 ipsec-isakmp

set peer x.x.x.x default

set peer y.y.y.y

2. Enable DPD (Dead Peer Detection) on both routers.

crypto isakmp keepalive  [retry-seconds] [periodic | on-demand]

Link: IPsec Dead Peer Detection


Best regards,

________________ Best regards, MB

Thank czaja0000.

I tried 1 before but it didn't work.

With your option 2, I can not use it in my environment. At DC site, I use Checkpoint FW to establish VPN connection. My Checkpoint version does not support DPD.