Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

VPN Multiple Peers Failover

We are currently using ASA 5510s in all of our sites. We implemented a load balancing piece of hardware for multiple ISPs at Site A. At Site B and Site C we have configured the VPN tunnel with multiple peers for each of the two IP addresses we are using at Site A.

The failover from IP1 to IP2 seems to work properly from the remote sites (however it takes almost 2 minutes to fail over). However, if IP1 comes back up (which our load balancing then disables IP2), the Remote sites do not fail back to IP1. We have to manually log off the Site to site connection.

Is there any way to:

1. Make the failover time faster from IP1 to IP2.

2. Allow the VPN tunnel to failback to IP1 when IP2 is no longer available.


Re: VPN Multiple Peers Failover

Hi, in this case you are relying on keepalives to make the ASA to go to your secondary peer, this same keepalives are used to make the primary peer to be the preferred one. Unfortunately what you are using here is not a stateful failover but rather a stateless failover and you will always rely on keepalives. Keepalives will query the remote peer for reachability and will determine whether this peer is active or not, if it does not receive response (asa) from the remote peer after a period of time (configurable) then it will try to contact the secondary peer. Same thing will happen when the primary is active, if we still receive response from the secondary then we won't keepalive however if we receive no response after a period of time then we will keepalive it and after a period of time it will go down.

To check the keepalive value that your ASA has, you just simply go ahead and run a "show run all tunnel-group X.X.X.X" where X.X.X.X is the ip address of your remote peer(s) you will see the value there.

CreatePlease to create content