Hey guys! I'm stumbled onto an issue that I have found a work around for, but I haven't been able to fully resolve. I have a location that has 2 ISP connections. One is being used as the primary Internet while the other serves as a backup. The sla monitor configuration works great. The issue is that when testing site to site tunnels with the backup link, the tunnels work fine as well, but when preempting back to the primary the tunnels connect and disconnect over and over. The only way to correct is to enter "clear connection all". What I'm seeing in the debugs is that traffic comes in on the primary ISP but leaves out the backup ISP. I'm running 9.1.5 code. If this happened automatically during the wee hours of the night it would be bad, so I need a fix. Any solutions?
I've worked with TAC on this issue, but no resolution has been found. Initially, TAC had me create a second set of crypto map statements specifically meant for the backup link. I disagreed with this notion that it would solve it, but nonetheless, I gave it a try. Same result. The only thing that I know to do at this point is to try this in a lab with a different code version.
I've been looking over the configuration and I've left out the route outside commands for the remote network. It is possible that this could have been an oversight and could possibly be the solution. I have it in for the other remote networks at other sites except for this one. Not sure why this one was missed, but in either case it still needs to be tested to verify. I'll post the results after testing is complete.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :