Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
535
Views
10
Helpful
3
Replies

Is There a Way to Shorten VPN Failover Time?

Jesse Shumaker
Level 1
Level 1

‎03-27-2012 04:02 PM

Here's my situation. I have two sites that each have asa 5505's and each have dual ISP's. Currently I'm using sla monitor to failover to the secondary line when there is a detected outage. After this sla failover occurs which seems to be instant, secondary ISP re-establishes the VPN. This process takes about 30 seconds. My thought is that the side which is healthy does not detect the outage due to a preset amount of timeouts and thats where this 30 second delay comes in to re-negotiate the VPN tunnel.

So my question is: can I create a smaller window of time to heartbeat between the two so that the VPN outagage is detected in around 5-10 seconds and thus re-negotiates with the sister sites IP faster?

thanks for your advice

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎03-28-2012 01:18 AM

Jesse,

Truth be told 30 seconds is a very decent time for IKE based failover.

What is probably happening is that "healthy" side still can send traffic over existing tunnel until DPDs tell it otherwise.

But you would have to check debugs to understand where the delay comes from. Try setting DPDs to 10 seconds (it should not cause problems for a small deployment).

M.

Jesse Shumaker
Level 1
Level 1
In response to Marcin Latosiewicz

‎03-28-2012 10:26 AM

thanks for the help. yeah they were set on 20 seconds so perhaps lowering this will do the trick. it looks like the tunnel-group keepalives default is 10 seconds with a 2 second retry because when I inputed this it didn't appear in my running config. Is that correct?

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Jesse Shumaker

‎03-28-2012 10:44 AM

That's correct :-)

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/i3.html#wp1919163

if in doubt you can do "show run all ..." to see the defaults.

M.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents