Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

L2L VPN SA is not renegotiating with backup isp in ASA

Hellos,

I have ASA5520 and I have configured two ISP on failover mode if primary ISP goes down backup ISP is takes over and internet works fine, but Site to Site IPSec VPN SAs remains on primary ISP, it is not renegotiating with backup IP untill i clear the cry ipsec sa.

can someone please help me out..???

Parvendra

2 REPLIES
Bronze

Re: L2L VPN SA is not renegotiating with backup isp in ASA

Do you have DPD Keepalives enabled? If so, and the keepalives fail, the SA's will be cleared by the ASA and the (reachable) backup peer IP would likely be used when the tunnel rebuilds.

New Member

Re: L2L VPN SA is not renegotiating with backup isp in ASA

Hi James ,

Thanks for the reply...i have configured the"isakmp keepalive threshold 10 retry 3" on my ASA5520 but still not success, i have seen error on syslog, attaching below and i think the problem is on other side,either Checkpoint does not support keepalive or they haven't  configured keepalive.

Dec 14 2009 14:08:23: %ASA-3-713119: Group = 11.22.33.44, IP = 11.22.33.44, PHASE 1 COMPLETED
Dec 14 2009 14:08:23: %ASA-3-713122: IP = 11.22.33.44, Keep-alives configured on but peer does not support keep-alives (type = None)

Please suggest.

THanks

526
Views
0
Helpful
2
Replies
CreatePlease to create content