Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

SLA Monitor and site to site VPN

Hey guys!  I'm stumbled onto an issue that I have found a work around for, but I haven't been able to fully resolve.  I have a location that has 2 ISP connections.  One is being used as the primary Internet while the other serves as a backup.  The sla monitor configuration works great.  The issue is that when testing site to site tunnels with the backup link, the tunnels work fine as well, but when preempting back to the primary the tunnels connect and disconnect over and over.  The only way to correct is to enter "clear connection all".  What I'm seeing in the debugs is that traffic comes in on the primary ISP but leaves out the backup ISP.  I'm running 9.1.5 code.  If this happened automatically during the wee hours of the night it would be bad, so I need a fix.  Any solutions?

3 REPLIES
New Member

**UPDATE:I've worked with TAC

**UPDATE:

I've worked with TAC on this issue, but no resolution has been found.  Initially, TAC had me create a second set of crypto map statements specifically meant for the backup link.  I disagreed with this notion that it would solve it, but nonetheless, I gave it a try.  Same result.  The only thing that I know to do at this point is to try this in a lab with a different code version.

 

New Member

**UPDATE:I've been looking

**UPDATE:

I've been looking over the configuration and I've left out the route outside commands for the remote network.  It is possible that this could have been an oversight and could possibly be the solution.  I have it in for the other remote networks at other sites except for this one.  Not sure why this one was missed, but in either case it still needs to be tested to verify.  I'll post the results after testing is complete.  

New Member

Previous tests failed with

Previous tests failed with same issue.  I was able to locate a bug that is similar to what I am experiencing.  Bug ID is: CSCue97782

I was able to look more into this and found the following document that explains exactly what is happening.  

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113592-udp-traffic-fails-00.html

Proposed solution is to use the "timeout floating-conn" command.  

238
Views
0
Helpful
3
Replies
CreatePlease to create content