VPN Multiple Peers Failover

Unanswered Question
Jan 13th, 2009

We are currently using ASA 5510s in all of our sites. We implemented a load balancing piece of hardware for multiple ISPs at Site A. At Site B and Site C we have configured the VPN tunnel with multiple peers for each of the two IP addresses we are using at Site A.

The failover from IP1 to IP2 seems to work properly from the remote sites (however it takes almost 2 minutes to fail over). However, if IP1 comes back up (which our load balancing then disables IP2), the Remote sites do not fail back to IP1. We have to manually log off the Site to site connection.

Is there any way to:

1. Make the failover time faster from IP1 to IP2.

2. Allow the VPN tunnel to failback to IP1 when IP2 is no longer available.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Tue, 01/13/2009 - 08:22

Hi, in this case you are relying on keepalives to make the ASA to go to your secondary peer, this same keepalives are used to make the primary peer to be the preferred one. Unfortunately what you are using here is not a stateful failover but rather a stateless failover and you will always rely on keepalives. Keepalives will query the remote peer for reachability and will determine whether this peer is active or not, if it does not receive response (asa) from the remote peer after a period of time (configurable) then it will try to contact the secondary peer. Same thing will happen when the primary is active, if we still receive response from the secondary then we won't keepalive however if we receive no response after a period of time then we will keepalive it and after a period of time it will go down.

To check the keepalive value that your ASA has, you just simply go ahead and run a "show run all tunnel-group X.X.X.X" where X.X.X.X is the ip address of your remote peer(s) you will see the value there.


This Discussion