I just had an incident about the interface / circuit was down suddenly on a pair of ASA 5510, configured as active-stanby, both ASA version are V8.4(5), ASDM 7.1(1)52.
Circuit down suddenly, discover by one of the site-to-site VPN to a remote site connect through this primary circuit was not able to access. But ASA was able failed-over to our standby circuit without any problem expect the VPN to remote site. (Ignore the VPN for a sec, because I didn't set a VPN on the standby circuit)
The most weird thing is, the "downed" circuit status on ASDM was showing a "?", and it was using PPPoE to get its connection, when I access to ASDM, there was no any PPPoE setting on this interface. But when I access by CLI, the PPPoE profile was still on the running-config, but it was not configured to use this PPPoE profile on this interface. After I re-configured this PPPoE profile to this interface, I found out the default route for this circuit was missed. I have to recreate a default route for this circuit. After I recreated these setting, I was able to access Internet by this primary circuit.
But and then I found out the site-to-site VPN was not up because it's profile has changed to use the standby circuit as its outgoing interface automatically. Then I have to create a new VPN profile to use primary circuit as outgoing interface.
After all of these setting, all connection are resumed.
But my question is why the interface down can cause route setting deleted and interface for VPN has been changed?
I have look through those ASA software and ASDM release note from the version that I am using to the updatest version on CISCO, but i cannot find any related to my issue.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :