L2L VPN SA is not renegotiating with backup isp in ASA

Unanswered Question
Dec 8th, 2009

Hellos,

I have ASA5520 and I have configured two ISP on failover mode if primary ISP goes down backup ISP is takes over and internet works fine, but Site to Site IPSec VPN SAs remains on primary ISP, it is not renegotiating with backup IP untill i clear the cry ipsec sa.

can someone please help me out..???

Parvendra

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
busterswt Fri, 12/11/2009 - 20:37

Do you have DPD Keepalives enabled? If so, and the keepalives fail, the SA's will be cleared by the ASA and the (reachable) backup peer IP would likely be used when the tunnel rebuilds.

krishna_gondi Mon, 12/14/2009 - 01:16

Hi James ,

Thanks for the reply...i have configured the /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;} "isakmp keepalive threshold 10 retry 3" on my ASA5520 but still not success, i have seen error on syslog, attaching below and i think the problem is on other side,either Checkpoint does not support keepalive or they haven't  configured keepalive.

Dec 14 2009 14:08:23: %ASA-3-713119: Group = 11.22.33.44, IP = 11.22.33.44, PHASE 1 COMPLETED
Dec 14 2009 14:08:23: %ASA-3-713122: IP = 11.22.33.44, Keep-alives configured on but peer does not support keep-alives (type = None)

Please suggest.

THanks

Actions

This Discussion