If I have a pair of ASA firewalls terminating several IPSEC vpn L2L connections, and these firewalls are configured for failover, what happens to the active tunnels if a failover occurs? Is there a disruption or is it transparent? Finally, is there any special config required to make it happen?
The theory behing Ipsec in ASA A/S architecture is when you configure stateful failover the isakmp and IPsec SA table is passed onto standby, so in theory you should not see disruption in a failover , personaly I have yet to test this in a IPsec scenario.
I'm not sure if you guys are misinformed, but stateful IPsec failover is NOT supported by the ASA. This was confirmed by my local SE. Your SAs will need to be purged on the remote side.
Our ASA right now is flaking out on the primary and is failing right now between active and standby states. The remote VPNs are "staying up" and there are SAs in both the ASA and the remote VPN site routers. Unfortunatly as I said the traffic is not passing over the VPN. So, once I reviewed this with my SE he said you have to go back in and actually remove the SAs from the far end routers and re-initiate interesting traffic. Voila...it works like cake.
I don't want to disagree with anyone too strongly, but again in my experience it doesn't work. I did notice that with a 3800 or greater you can do stateful IPsec failover between two routers that are your VPN termination devices, but all PIX and ASA documentation only shows that the SAs are maintained on the standby device. Nothing in regard to them continuing to work is mentioned.
In my experience, with ASAs what will happen is the SAs will indeed move from the primary to the standby ASA. The standby ASA becomes the active ASA. The remote sites still think the original ASA is still up and unfortunately still hold onto their SAs. These SAs on the remote end will not work. I speculate this is because the hardware hashs are going to fail on the IPsec integrity checks. The remote ends manually have to have their SAs purged with a clear crypto sa. After that, re-initiate interesting traffic, and then your tunnels will come back up on the "new" primary ASA.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...