L2L VPNs on ASAs and failover question

Unanswered Question
Mar 11th, 2009
User Badges:

If I have a pair of ASA firewalls terminating several IPSEC vpn L2L connections, and these firewalls are configured for failover, what happens to the active tunnels if a failover occurs? Is there a disruption or is it transparent? Finally, is there any special config required to make it happen?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Wed, 03/11/2009 - 08:57
User Badges:
  • Green, 3000 points or more


The theory behing Ipsec in ASA A/S architecture is when you configure stateful failover the isakmp and IPsec SA table is passed onto standby, so in theory you should not see disruption in a failover , personaly I have yet to test this in a IPsec scenario.

see stateful failover


Quote from above link -

The state information passed to the standby unit includes these:

The NAT translation table

The TCP connection states

The UDP connection states

The ARP table

The Layer 2 bridge table (when it runs in the transparent firewall mode)

The HTTP connection states (if HTTP replication is enabled)

The ISAKMP and IPSec SA table

The GTP PDP connection database

vikram_anumukonda Wed, 04/01/2009 - 19:09
User Badges:
  • Bronze, 100 points or more

I agree with Jorge, There will be no disruption and I did test it out.

cvoisin Wed, 04/01/2009 - 20:11
User Badges:

I'm not sure if you guys are misinformed, but stateful IPsec failover is NOT supported by the ASA. This was confirmed by my local SE. Your SAs will need to be purged on the remote side.

Our ASA right now is flaking out on the primary and is failing right now between active and standby states. The remote VPNs are "staying up" and there are SAs in both the ASA and the remote VPN site routers. Unfortunatly as I said the traffic is not passing over the VPN. So, once I reviewed this with my SE he said you have to go back in and actually remove the SAs from the far end routers and re-initiate interesting traffic. Voila...it works like cake.

I don't want to disagree with anyone too strongly, but again in my experience it doesn't work. I did notice that with a 3800 or greater you can do stateful IPsec failover between two routers that are your VPN termination devices, but all PIX and ASA documentation only shows that the SAs are maintained on the standby device. Nothing in regard to them continuing to work is mentioned.

cvoisin Wed, 04/01/2009 - 14:54
User Badges:

In my experience, with ASAs what will happen is the SAs will indeed move from the primary to the standby ASA. The standby ASA becomes the active ASA. The remote sites still think the original ASA is still up and unfortunately still hold onto their SAs. These SAs on the remote end will not work. I speculate this is because the hardware hashs are going to fail on the IPsec integrity checks. The remote ends manually have to have their SAs purged with a clear crypto sa. After that, re-initiate interesting traffic, and then your tunnels will come back up on the "new" primary ASA.

mtoure2009 Thu, 04/02/2009 - 02:11
User Badges:

Please I have already set up a VPN site to site with Asa 5540 . And I want to set up a 2nd VPN but the 2nd VPN is not working. How can I add 2nd VPN with ASA ASDM ?


This Discussion