Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EasyVPN server retry takes too long.

I have configured a remote site as an EasyVPN client...a 5505. At the headend I have a pair of routers running HSRP with a pair of ASA 5510's behind them.

When I pull the plug on one of the HSRP routers is takes about 60 seconds for the remote site to come up on the second VPN server IP, which is actually a second ISP's address NAT'd to the same 5510's that it was already up on before I failed the router....but was using an address from the first ISP.

Anyway, it also takes 60 seconds to fail back. 60 seconds is really too long in today's world. How can I make it failover a bit quicker? What is determining the 60's very consistent which suggests a parameter somewhere.

I messed with ISAKMP keepalives with no success so far.




Re: EasyVPN server retry takes too long.

I think redirection to backup VPN servers can happen under different situations i.e when phase 1 is being attempted, when phase 2 is being attempted (CM, phase 1 complete and phase 2 being initiated after some time) and when both phase 1 and phase 2 are up and DPD(Dead Peer Detection) detects a down peer. The latency associated with rollover hence depends on the parameters associated with each such situation. Rollover during phase 1 and phase 2 attempts happens approximately after a minute, which is the latency associated with timeouts in those scenarios. Rollover through DPD is a function of the isakmp keepalive configuration and is typically 25 seconds with a keepalive value of 10 seconds. The failover is not stateful. Sessions keys are not exchanged between primary and secondary servers.

New Member

Re: EasyVPN server retry takes too long.

Cool, thanks for the reply.

I ended up not using the EasyVPN function and maually building a lan-to-lan crypto map at the remote site with two peers. It fails over much faster than when configured as an EasyVPN client. It still doesn't swap as fast as I would like, but better. The isakmp keepalives are set at the minimum values.

Thanks again.

CreatePlease to create content