IPSec VPN tunnel failover using 'default' peer not failing back?
I've got IPSec VPN failover configured on my Cisco 871 router. I've got one crypto map with two peers configured, one set with the 'default' keyword with is the primary peer, the other only to be used if the first peer fails. I've enabled DPD every 60 seconds and this is able to detect the outage of the primary peer, clear the tunnel and re-establish to the backup peer. THe problem is that when the primary peer comes back, the VPN does not fail back over to it and proper communication stops working until I manually clear the tunnel. The remote side of this VPN tunnel has two seperate cisco 871 routers with two internet feeds from two different ISPs. I've tried to enable security-association idletime, but it doesn't seem to be working as the clients are still trying to send data through the tunnel, just not getting a response because they are sending through the tunnel to the backup peer and the remote hosts are responding via the primary peer. ANy help would be great. Thanks
Not sure if anyone will respond since this was an old post but I have a similar problem.
My lab router will fail over to the secondary peer but will not fail back to the default when it becomes available. I have the security-association idle-time 60 default in the crypto map but it never checks if the default peer is available. I have to clear the crypto session to force it back to the default peer.
I have the dead peer detection configured but it seems to only sense when the peer is dead but does not check to see if the default is alive to fail back to it.
Any one know why this will not fail back to the default as the documentation suggests it should?
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...