We have a primary ASA5540 at our head office which provides our main site internet connection and terminates all the IPSEC VPNs to our remote sites.
We also have a secondary ASA5540 at our âfailoverâ site where we have another internet pipe. The idea being that, if there is a problem with our main internet pipe or primary ASA, comms will failover to the secondary ASA and we will still have connectivity.
The head office and failover sites are a few miles apart and are connected by a LES (LAN Extension Service) circuit. We have a core switch at each site with an isolated âfailoverâ VLAN configured for the connections between the 2 ASA firewalls. The switch ports are configured with âspanning-tree portfastâ enabled and trunking disabled ("switchport mode access")
The issue we are facing is that, whenever a failover occurs (e.g. if main internet pipe goes down) then the failover to the secondary unit happens but we seem to lose connectivity with all our remote offices.
I have attached a diagram to show the basic set-up and also included the "show run failover" and "show failover" output (with IP addresses removed) from each unit.
Does anyone have any suggestions as to what the issue might be and how we can set this up so that all connectivity (including remote VPN connections) will resume when a failover occurs?
It's also a difficult one to troubleshoot as we need downtime in order to test it (as all remote sites connect over the primary internet pipe) - if we organise a test window, can anyone suggest the best debugging/troubleshooting commands to run in order to help us resolve the issue?
Any help/advice on this one would be greatly appreciated!