Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Problem with VPN L2L and RA in a failover configuration

I'm using two ASA 5540 in active-standby failover configuration. These boxes (primary and secondary) are used to establish some L2L and RA (Remote Access) VPN. The active box run OSPF process.

The problem is when failover occurs (just shuting down the active box, or running 'failover active' in a secondary box) all L2L don't be reestablished in a secondary box. The unique way that I can do this (reestablish the connection) is removing the RRI (Reverse Route Injection) configuration (eg. 'no crypto map rprbbe_map 3 set reverse-route') and putting the rri configuration ( 'crypto map rprbbe_map 3 set reverse-route'). After do this the connection is reestablished.

In RA clients the session persists, on a failover event, but the client lost the access. To solve this, the client need to disconnect and reconnect.

Someone have experience with this kind of VPN (L2L and RA) configuration using failover?
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Problem with VPN L2L and RA in a failover configuration

Behavior looks buggy.

What version are you running?

Cisco Employee

Re: Problem with VPN L2L and RA in a failover configuration

A lot of guess work but there are two potential bugs:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtd74691

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtf68934

I would check if you see rerr or txerr increasing in "show failover" on any of the firewall.

I'd check "fsck" on both units and try doing "write standby" on active afterwards.

Short of that ... either upgrad to 8.3.2 when it's out (august?) or downgrade to 8.2 and test again. Or open a TAC case.

9 REPLIES
Cisco Employee

Re: Problem with VPN L2L and RA in a failover configuration

Behavior looks buggy.

What version are you running?

New Member

Re: Problem with VPN L2L and RA in a failover configuration

Version 8.3(1)

Cisco Employee

Re: Problem with VPN L2L and RA in a failover configuration

A lot of guess work but there are two potential bugs:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtd74691

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtf68934

I would check if you see rerr or txerr increasing in "show failover" on any of the firewall.

I'd check "fsck" on both units and try doing "write standby" on active afterwards.

Short of that ... either upgrad to 8.3.2 when it's out (august?) or downgrade to 8.2 and test again. Or open a TAC case.

New Member

Re: Problem with VPN L2L and RA in a failover configuration

I've opened a TAC for this issue.

I'm waiting the solution.

Cisco Employee

Re: Problem with VPN L2L and RA in a failover configuration

Can you share the case number with me?

New Member

Re: Problem with VPN L2L and RA in a failover configuration

The case number is: SR 614675535.

New Member

Re: Problem with VPN L2L and RA in a failover configuration

This issue is a new bug identified with ID CSCth58083.

Cisco Employee

Re: Problem with VPN L2L and RA in a failover configuration

Awesome!

I've added this one to my interest list.

Marcin

New Member

Re: Problem with VPN L2L and RA in a failover configuration

This week I received a solution for my problem from TAC!

After some upgrades of version, now I'm running on asa831-6-k8 (develop version), my connections was passed from one box (primary unit) to another box (standby unit), after a failover, but the proplem with RRI happens.

The solution of my case was insert a static default route with a high metric than OSPF. Why? According with Cisco Engineer, the standby unit needs this to reach the connections that already been established (L2L and RA) and after the OSPF process is running on the standby unit, after a failover, the static routes of L2L and RA may be inserted on OSPF routes.

460
Views
0
Helpful
9
Replies
CreatePlease to create content