Stateful failover - strange issues with remote site IPSEC VPN connectivity
Our ASAs are running version 7.2(4)30 and configured as a failover pair. We have several hundred remote sites with IPSEC VPN connections terminating on the ASA.
We have had some strange problems when a failover occurs due to an interface failure. When the outside interface on our primary ASA fails, the system should failover to the secondary ASA and stateful failover should ensure that all our IPSEC VPN connections remain unaffected.
However, what we have found is that, while the failover occurs as expected, when traffic is then flowing through the secondary (new active) ASA, a large number of our remote sites can no longer connect (perhaps as much as 20% of the sites) We have tried everything we can (rebooting remote routers, clearing down SA's from the ASA etc) but cannot re-establish these IPSEC sessions until we failover to the primary ASA again.
There is another strange problem in that, for our remote sites, we typically use Cisco 877 routers with a loopback interface (for monitoring and management purposes) and the VLAN on a separate subnet for the operational traffic.
For literally a handful of sites, we have found that after the failover occurs we can no longer connect to the loopback interface on the router but the âoperational trafficâ remains unaffected (this is even after failing back over to the primary unit again).
We've tried everything possible at the remote site (rebooted router, reloaded config into flash and rebooted, etc) and everything we can think of on the ASA (clearing down SA's, removing then re-applying relevant config, etc) but still cannot establish connectivity with the loopback interfaces on these few sites.
However, after rebooting both ASA units in turn, then full connectivity WAS restored.
Has anyone come across these kind of issues before? I'm wondering if it's anything to do with how long the ASA units have been âupâ for and perhaps the reboot helps clear out âstaleâ information of some kind and/or if this is an IOS issue? (it was around 7months before our ASAs had last been rebooted?)
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...