I have dual pix's configured for stateful failover. If and when a fialover change occurs the active PIX has no IPSEC and ISAKMP security associations active and the remote end (an 831) thinks it still has an active tunnel. At the remote end I have to clear the sa's in order to successfully pass traffic over the tunnel again. Eventaully I'll have 18 site to site tunnels and certainly don't want to have to telnet to all the remotes and clear their SA's to get up and running again. Is this a bug or what?
Failover PIX's are running 6.3.1 and the remote 831 is running 12.3(2)XE
It's not a bug, it's just not implemented. Failover does not replicate IPSec tunnels, so whne the PIX's fail over the tunnels will go down. IPSec stateful failover is due for the next major release of code due out later this year.
For the moment, configure ISAKMP keepalives on both ends, this way the 831 will detect that the tunnel has gone down and will rebuild it automatically.
The "10" says send a keepalive over the tunnel every 10 seconds, and if you get no response, send 3 more keepalives at "2" second intervals. If you get no response to those, bring the tunnel down and try to rebuild it. Worst case scenario with these timers is 10 + (2 * 3) = 16 seconds your tunnel will be down.
You can change the timers to suit your needs, although I think 10 and 2 are the minimum. Whatever you make them, just make sure they're the same on all devices.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...