If you configured VPN with multiple peer IP addresses for a crypto entry, the VPN gets established with the backup peer IP once the primary peer goes down. However, once the primary peer comes back, the VPN does not preempt to the primary IP address. You must manually delete the existing SA in order to reinitiate the VPN negotiation to switch it over to the primary IP address. As the conclusion says, the VPN preempt is not supported in the site-to-site tunnel.
IKEv1/IPsec standard does not, or at least a couple of years ago it didn't, have a mechanism to check whether remote peer is available for negotiation (not to say that OS cannot make certain decisions on behalf of IKE), i.e. you never know when IKE on the remote end is back up unless you try to send negotiation.
A simple sla + track and EEM script will preempt those connections for you.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...