Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
946
Views
0
Helpful
3
Replies

SLA Monitor and site to site VPN

Matthew Ratliff
Level 1
Level 1

‎05-21-2014 11:15 AM - last edited on ‎03-25-2019 05:53 PM by Community Manager

Hey guys!  I'm stumbled onto an issue that I have found a work around for, but I haven't been able to fully resolve.  I have a location that has 2 ISP connections.  One is being used as the primary Internet while the other serves as a backup.  The sla monitor configuration works great.  The issue is that when testing site to site tunnels with the backup link, the tunnels work fine as well, but when preempting back to the primary the tunnels connect and disconnect over and over.  The only way to correct is to enter "clear connection all".  What I'm seeing in the debugs is that traffic comes in on the primary ISP but leaves out the backup ISP.  I'm running 9.1.5 code.  If this happened automatically during the wee hours of the night it would be bad, so I need a fix.  Any solutions?

Labels:
0 Helpful
3 Replies 3

Matthew Ratliff
Level 1
Level 1

‎06-02-2014 09:25 AM

**UPDATE:

I've worked with TAC on this issue, but no resolution has been found.  Initially, TAC had me create a second set of crypto map statements specifically meant for the backup link.  I disagreed with this notion that it would solve it, but nonetheless, I gave it a try.  Same result.  The only thing that I know to do at this point is to try this in a lab with a different code version.

 

0 Helpful

Matthew Ratliff
Level 1
Level 1
In response to Matthew Ratliff

‎06-02-2014 09:28 AM

**UPDATE:

I've been looking over the configuration and I've left out the route outside commands for the remote network.  It is possible that this could have been an oversight and could possibly be the solution.  I have it in for the other remote networks at other sites except for this one.  Not sure why this one was missed, but in either case it still needs to be tested to verify.  I'll post the results after testing is complete.  

0 Helpful

Matthew Ratliff
Level 1
Level 1
In response to Matthew Ratliff

‎06-10-2014 06:39 AM

Previous tests failed with same issue.  I was able to locate a bug that is similar to what I am experiencing.  Bug ID is: CSCue97782

I was able to look more into this and found the following document that explains exactly what is happening.  

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113592-udp-traffic-fails-00.html

Proposed solution is to use the "timeout floating-conn" command.  

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card