IPSec VPN tunnel failover using 'default' peer not failing back?

Unanswered Question
Nov 12th, 2008
User Badges:

Hi

I've got IPSec VPN failover configured on my Cisco 871 router. I've got one crypto map with two peers configured, one set with the 'default' keyword with is the primary peer, the other only to be used if the first peer fails. I've enabled DPD every 60 seconds and this is able to detect the outage of the primary peer, clear the tunnel and re-establish to the backup peer. THe problem is that when the primary peer comes back, the VPN does not fail back over to it and proper communication stops working until I manually clear the tunnel. The remote side of this VPN tunnel has two seperate cisco 871 routers with two internet feeds from two different ISPs. I've tried to enable security-association idletime, but it doesn't seem to be working as the clients are still trying to send data through the tunnel, just not getting a response because they are sending through the tunnel to the backup peer and the remote hosts are responding via the primary peer. ANy help would be great. Thanks


Jason

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Istvan_Rabai Wed, 11/12/2008 - 23:01
User Badges:
  • Gold, 750 points or more

Hi Jason,


As to myself, I would use GRE over IPSec for failover scenarios.

In this case both tunnels are up at the same time, and the routing protocol would decide about the failover.


You could configure the backup route to have a higher routing metric on both sides of the tunnels, so the backup tunnel is used only in case the other one fails.


This would provide a more reliable failover than traditional IPSec VPNs.


Cheers:

Istvan



Eric Brown Wed, 12/30/2015 - 14:14
User Badges:

Not sure if anyone will respond since this was an old post but I have a similar problem.

My lab router will fail over to the secondary peer but will not fail back to the default when it becomes available. I have the security-association idle-time 60 default in the crypto map but it never checks if the default peer is available. I have to clear the crypto session to force it back to the default peer.

I have the dead peer detection configured but it seems to only sense when the peer is dead but does not check to see if the default is alive to fail back to it.

Any one know why this will not fail back to the default as the documentation suggests it should?

Actions

This Discussion