I have an Active/Standby pair of ASA5510 firewalls, configured for ISP failover and I have IPsec L2L tunnels to my two remote sites. The remote sites also have Active/Standby 5510s. If my primary ISP connection fails over to the secondary ISP, what is the effect to my L2L tunnels? Do the clients using the tunnel notice any disruption of service? Do the sessions maintain state, or are re-connections necessary?
Question for you - Does the Active and the standby had dual ISP's for backup purposes?
If that be the case, then the tunnel information should be passed on to the secondary pair.
When the primary pair is active and the tunnels are working, can you log into the secondary and do "sh cry isa sa". It should show the status of the tunnel as STANDBY.
If that be the case, then the clients on the other side will not see any disruption of service. But the ISP fails and it switches to the second ISP which is your backup, then they sure will see disruption of service. In which case, the tunnels needs to be re-negotiated.
So in conclusion with regard to your scenario:
If it is firewall failover, you should not see disruption of service.
If it is ISP failover, you will see disruption of service.
Gilbert, just to be clarify, I'm using a single pair of ASAs in Active-Standby mode. I have my backup ISP link connected to an interface on each ASA, but external traffic flows to my primary ISP on the ASA's Outside interface.
From your reply, I'm concluding the following:
- If my primary ASA fails over to the secondary AND the primary ISP is still UP, my tunnel clients see no disruption.
- If my primary ISP is DOWN, and my backup ISP is active, my tunnel clients will see disruption for a brief period, until the tunnels renegotiate. Correct?
All of this, assumes I have correctly configured the respective secondary peer for each tunnel definition.
If the VPNs are terminated on the ASAs on both sides and the routers shift to the other ISP there will be no disruption of service. Provided that IPSEC Peers (VPN gateways) can reach each other. What internet path they use to reach other is irrelevant as far as IPSEC is concerned! Assuming your have provider independent IP block (as in owned by you). Otherwise you already have the answer from two experts.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...