ASA5510 and L2L failover, is it stateful?

Unanswered Question
Aug 18th, 2008

I have an Active/Standby pair of ASA5510 firewalls, configured for ISP failover and I have IPsec L2L tunnels to my two remote sites. The remote sites also have Active/Standby 5510s. If my primary ISP connection fails over to the secondary ISP, what is the effect to my L2L tunnels? Do the clients using the tunnel notice any disruption of service? Do the sessions maintain state, or are re-connections necessary?

Thanks in advance,

- Jericho

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Marwan ALshawi Mon, 08/18/2008 - 18:15

as u stated u said deffrent ISP

so that mean in the event of failover the new seesion will involve new source IP address then need new session establishment

so it will need to re establish the session

i just analize it , if anyone has other idea will be great

good luck

ggilbert Tue, 08/19/2008 - 07:19


Question for you - Does the Active and the standby had dual ISP's for backup purposes?

If that be the case, then the tunnel information should be passed on to the secondary pair.

When the primary pair is active and the tunnels are working, can you log into the secondary and do "sh cry isa sa". It should show the status of the tunnel as STANDBY.

If that be the case, then the clients on the other side will not see any disruption of service. But the ISP fails and it switches to the second ISP which is your backup, then they sure will see disruption of service. In which case, the tunnels needs to be re-negotiated.

So in conclusion with regard to your scenario:

If it is firewall failover, you should not see disruption of service.

If it is ISP failover, you will see disruption of service.

Hope this answers your question.

Rate this post, if it does.



jrchgtrrz Tue, 08/19/2008 - 08:06

Gilbert, just to be clarify, I'm using a single pair of ASAs in Active-Standby mode. I have my backup ISP link connected to an interface on each ASA, but external traffic flows to my primary ISP on the ASA's Outside interface.

From your reply, I'm concluding the following:

- If my primary ASA fails over to the secondary AND the primary ISP is still UP, my tunnel clients see no disruption.

- If my primary ISP is DOWN, and my backup ISP is active, my tunnel clients will see disruption for a brief period, until the tunnels renegotiate. Correct?

All of this, assumes I have correctly configured the respective secondary peer for each tunnel definition.


- Jericho

ggilbert Tue, 08/19/2008 - 10:49


Assuming you have configured everything right, yes you have concluded the answers correct.


Farrukh Haroon Tue, 08/19/2008 - 11:43

If the VPNs are terminated on the ASAs on both sides and the routers shift to the other ISP there will be no disruption of service. Provided that IPSEC Peers (VPN gateways) can reach each other. What internet path they use to reach other is irrelevant as far as IPSEC is concerned! Assuming your have provider independent IP block (as in owned by you). Otherwise you already have the answer from two experts.




This Discussion