L2L VPN SA is not renegotiating with backup isp in ASA

Unanswered Question
Dec 8th, 2009
User Badges:


I have ASA5520 and I have configured two ISP on failover mode if primary ISP goes down backup ISP is takes over and internet works fine, but Site to Site IPSec VPN SAs remains on primary ISP, it is not renegotiating with backup IP untill i clear the cry ipsec sa.

can someone please help me out..???


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
busterswt Fri, 12/11/2009 - 20:37
User Badges:
  • Bronze, 100 points or more

Do you have DPD Keepalives enabled? If so, and the keepalives fail, the SA's will be cleared by the ASA and the (reachable) backup peer IP would likely be used when the tunnel rebuilds.

krishna_gondi Mon, 12/14/2009 - 01:16
User Badges:

Hi James ,

Thanks for the reply...i have configured the /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;} "isakmp keepalive threshold 10 retry 3" on my ASA5520 but still not success, i have seen error on syslog, attaching below and i think the problem is on other side,either Checkpoint does not support keepalive or they haven't  configured keepalive.

Dec 14 2009 14:08:23: %ASA-3-713119: Group =, IP =, PHASE 1 COMPLETED
Dec 14 2009 14:08:23: %ASA-3-713122: IP =, Keep-alives configured on but peer does not support keep-alives (type = None)

Please suggest.



This Discussion