Encountered this issue twice so far. When failover occurs between two ASA5510's, the local IP pool for remote access users no longer works. I have to remove the pool and change the addresses to a different subnet for them to start working again, otherwise I get error 443, unable to obtain IP address for client. There is also a PtP connection to another site that is working just fine on failover, but for some odd reason the client connections suffer from this.
Is this a stateful failover? I located a bug close to your issue that occurs if address-pool is defined in group-policy. If you have vpn pool defined in group-policy, remove it and define under tunnel-group.
Actually yes I have one. There was a failover today and it happened again, even with the pool in the tunnel group. What is interesting is I switched the active back to the primary unit and VPN started working again. Will upgrading to 8.0(4) correct this?
On a side note, failover is sweet, had it not been for this VPN problem, we would have never known it failed over.
I think your issue is very similar to the one documented in the below Bug Id. But, the interesting part is, if you had configured the VPN Pool under the tunnel group, it should have worked after FO. Having said that, if possible, I would upgrade the ASA to 8.0(4) which has the fix for the below bug and then do the testing again.
FO: IPSec RA session not replicated if addr pool defined in group policy
*Pls rate if it helps*
Just discovered another issue with VPN. The nat traversal keeps getting disabled. I checked our ACS logs and at no time was no nat traversal issued on either device. Could this be related to the bug?
I have already mentioned Aarul's suggestion.
Todd, first make sure nat-traversal command was/is already replicated to standby. If it was, then try upgrading your IOS