Cisco Support Community
Community Member

Stateful failover - strange issues with remote site IPSEC VPN connectivity

Our ASAs are running version 7.2(4)30 and configured as a failover pair. We have several hundred remote sites with IPSEC VPN connections terminating on the ASA.

We have had some strange problems when a failover occurs due to an interface failure. When the outside interface on our primary ASA fails, the system should failover to the secondary ASA and stateful failover should ensure that all our IPSEC VPN connections remain unaffected.

However, what we have found is that, while the failover occurs as expected, when traffic is then flowing through the secondary (new active) ASA, a large number of our remote sites can no longer connect (perhaps as much as 20% of the sites) We have tried everything we can (rebooting remote routers, clearing down SA's from the ASA etc) but cannot re-establish these IPSEC sessions until we failover to the primary ASA again.

There is another strange problem in that, for our remote sites, we typically use Cisco 877 routers with a loopback interface (for monitoring and management purposes) and the VLAN on a separate subnet for the operational traffic.

For literally a handful of sites, we have found that after the failover occurs we can no longer connect to the loopback interface on the router but the “operational traffic” remains unaffected (this is even after failing back over to the primary unit again).

We've tried everything possible at the remote site (rebooted router, reloaded config into flash and rebooted, etc) and everything we can think of on the ASA (clearing down SA's, removing then re-applying relevant config, etc) but still cannot establish connectivity with the loopback interfaces on these few sites.

However, after rebooting both ASA units in turn, then full connectivity WAS restored.

Has anyone come across these kind of issues before? I'm wondering if it's anything to do with how long the ASA units have been “up” for and perhaps the reboot helps clear out “stale” information of some kind and/or if this is an IOS issue? (it was around 7months before our ASAs had last been rebooted?)

Any thoughts/advice would be appreciated. Thanks.

CreatePlease to create content