VPN Stack between locations

Unanswered Question
Sep 16th, 2010

We have site (A) and site (B), there is layer 2 connectivity between the two sites.  The primary ASA is located at site A and the standby ASA is located at site B.  Each site has its own internet connection using BGP.   If the primary ASA fails the secondary takes over, but if the L2 connectivity is lost both go active.

Is there anyway to use interface tracking on the primary ASA so that if it loses connectivity to an IP address at site B it shuts down its interface and goes into failed status, so when the secondary ASA goes active there is no IP address conflict.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Thu, 09/16/2010 - 12:40

Have not really done it that way, but I'm pretty sure it should work with the IP SLA feature on the ASA.

Have you tried it already?


networker99 Thu, 09/16/2010 - 12:42

No, I am looking for advice and how to configure IPSLA to shut down an interface if an IP is unreachable

networker99 Thu, 09/16/2010 - 13:18

thanks, but how can I force the ASA into a failed state if the tracked IP address is unreachable?

praprama Fri, 09/17/2010 - 01:00


Well the way SLA monitoring on ASA works, the purpose is to have a backup link in case the primary one fails using a feature called "Static route Tracking". This is given in the document that Frederico posted. It will not help you with your requirement exactly.

How is the failover interface between the 2 ASAs connected? It is recommended for them to be connected either directly or using a switch in between. We need to basically ensure that the 2 ASAs  never lose connectivity over the Failover interface. Please ensure that you do this. If you have this, you should not face the problem of both the ASAs going active.

Please do paste a diagram of how the failover interface is connected presently.

Hope this helps!!



networker99 Fri, 09/17/2010 - 05:26

Well, actually there are three sites connected by 10GB Fiber, the ASA;s are in two different locations.  I just wanted to know if there is a multi-site failover solution that allows the VPN on the ASA to have failover without splitting the pairs?  and without configuring a secondary peer

praprama Fri, 09/17/2010 - 08:27

Well, if you have active/standby failover configured on the ASAs with stateful failover, VPN should failover automatically whenever devices failover. That fits the requirement you have.

Details on what all are copied from the active to the standby ASA iwth stateful failover is given below:


If the 2 ASAs are in different locations then please ensure that we have a reliable connection between them on the "failover interface" and the "stateful failover link" as well for failover to function properly.




This Discussion