I have configured a remote site as an EasyVPN client...a 5505. At the headend I have a pair of routers running HSRP with a pair of ASA 5510's behind them.
When I pull the plug on one of the HSRP routers is takes about 60 seconds for the remote site to come up on the second VPN server IP, which is actually a second ISP's address NAT'd to the same 5510's that it was already up on before I failed the router....but was using an address from the first ISP.
Anyway, it also takes 60 seconds to fail back. 60 seconds is really too long in today's world. How can I make it failover a bit quicker? What is determining the 60 seconds...it's very consistent which suggests a parameter somewhere.
I messed with ISAKMP keepalives with no success so far.
I think redirection to backup VPN servers can happen under different situations i.e when phase 1 is being attempted, when phase 2 is being attempted (CM, phase 1 complete and phase 2 being initiated after some time) and when both phase 1 and phase 2 are up and DPD(Dead Peer Detection) detects a down peer. The latency associated with rollover hence depends on the parameters associated with each such situation. Rollover during phase 1 and phase 2 attempts happens approximately after a minute, which is the latency associated with timeouts in those scenarios. Rollover through DPD is a function of the isakmp keepalive configuration and is typically 25 seconds with a keepalive value of 10 seconds. The failover is not stateful. Sessions keys are not exchanged between primary and secondary servers.
I ended up not using the EasyVPN function and maually building a lan-to-lan crypto map at the remote site with two peers. It fails over much faster than when configured as an EasyVPN client. It still doesn't swap as fast as I would like, but better. The isakmp keepalives are set at the minimum values.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :