ASA to ASA l2l with backup tunnel

Unanswered Question
May 30th, 2007

I think I lost my mind over this.

I have 2 ASA, one at a remote site- ASA5505 and one at our datacenter-ASA5520. The remote site has 2

internet connections, primary is T1 and backup is DSL. All I want to do is this: when the the T1 fails

the VPN tunnel between the Remote ASA and Datacenter ASA to move the tunnel to the DSL link.

What I thought I had to was on the Datacenter, create 2 tunnel groups and 2 new policies for the remote office

well nope its not working. I have a TAC case open for 6 weeks and even they dont know! arrrr! sorry now thats out.

Remote Site on DSL( -------------Datacenter ( Cry Map Policy 170 -> ACL outside_cyptomap_170 -> peer -> Remote Net! sorry now thats out.

Remote Site on T1 ( ( Cry Map Policy 160- > ACL outside_crytopmap_160 -> peer -> Remote net

I think its because the network lists overlap, so how do get this to work. I cant be the only one who has config like this, or am I?


I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Wed, 05/30/2007 - 17:14

Which end are you attempting to initiate the tunnel from after the T1 goes down? Take a look here under Usage Guidlines, the paragraph which starts with "Configuring multiple peers". You should be able to set multiple peers in the datacenter ASA instead of creating two distinct tunnel-groups. What is taking care of the routing for the failover in remote ASA, are you using the Backup ISP option?

mleone8087 Wed, 05/30/2007 - 18:00

Hey thanks!

I want initiate the tunnel from the datacenter, when the T1 goes down. I'm using the backup isp option.

So I just read the link, very good thank you. Still stuck here. When T1 is up tunnel is good, when T1 is down nothing. What I get now is- %PIX|ASA-3-713042: IKE Initiator unable to find policy: Intf in the syslog messages?

Datacener is now:

crypto map vpn 160 match address outside_cryptomap_160

crypto map vpn 160 set connection-type originate-only

crypto map vpn 160 set peer t1peer dslpeer

crypto map vpn 160 set transform-set myset

Remote site:

crypto map outside_map 50 match address outside_50_cryptomap

crypto map outside_map 50 set connection-type answer-only

crypto map outside_map 50 set peer datacenter

crypto map outside_map 50 set transform-set myset

Any help would be nice.

Thanks again!

acomiskey Wed, 05/30/2007 - 18:15

What is the rest of that log? Do you want to post your configs, that may help?

Is isakmp enabled on dsl interface at remote site?

acomiskey Thu, 05/31/2007 - 04:54

It doesn't appear the datacenter ASA ever tries the second backup peer of 76.x.x.x like it is supposed to.

acomiskey Thu, 05/31/2007 - 05:49

Make sure that dpd keepalives are configured on all tunnel-groups.

isakmp keepalive

mleone8087 Thu, 05/31/2007 - 06:06

I just set that up, ran this on both ends

crypto isakmp disconnect-notify

crypto isakmp keepalive 10 2

acomiskey Thu, 05/31/2007 - 06:19

What is the "disconnect-notify" supposed to do? Have you tried without it?

mleone8087 Thu, 05/31/2007 - 06:23

i have tried with and with out.

Cisco says

Remote access or LAN-to-LAN sessions can drop for several reasons, such as: a security appliance shutdown or reboot, session idle timeout, maximum connection time exceeded, or administrator cut-off.

The security appliance can notify qualified peers (in LAN-to-LAN configurations), Cisco VPN Clients and VPN 3002 hardware clients of sessions that are about to be disconnected. The peer or client receiving the alert decodes the reason and displays it in the event log or in a pop-up panel. This feature is disabled by default.

Qualified clients and peers include the following:

?Security appliances with Alerts enabled.

?Cisco VPN clients running version 4.0 or later software (no configuration required).

?VPN 3002 hardware clients running version 4.0 or later software, and with Alerts enabled.

?VPN 3000 Series concentrators running version 4.0 or later software, with Alerts enabled.

To enable disconnect notification to IPSec peers, enter the isakmp disconnect-notify command.

tried it for kicks

acomiskey Thu, 05/31/2007 - 06:32

Ah ok, I was trying to figure out how the peer would be notified that the tunnel was dropping when the connection (T1) would not be there to be able to alert the peer. Also, the peers would know becuase of Dead Peer Detection that the peer was no longer available.

Can TAC explain why the datacenter ASA is not attempting the backup peer?

If you take out the primary peer from the config and just use the backup peer, does this work?(with the t1 unplugged of course)

mleone8087 Thu, 05/31/2007 - 07:11

Tac has no idea :(


If you take out the primary peer from the config and just use the backup peer, does this work?(with the t1 unplugged of course)" I will have to try this.

axelair66 Fri, 10/12/2007 - 01:53

Hi guys, do you have find any solutions ?

I have look at your config, doesn't it miss some static to allow outbound connection ?

hianju.heng Wed, 07/16/2008 - 20:56

Hi Mike,

I am doing the similar thing now. Have you get your problem resolved?

Best regards,



This Discussion