Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Site to Site (L2L) IPSec VPN with redundancy


I have an HQ site A and a remote site B.

The remote site B has an ASA firewall connected to a primary and secondary link with a site-to-site vpn that terminates at HQ Site A ASA firewall. The remote site B firewall is configured with ip sla and tracking which works ok during failover but whenever HQ site A is the tunnel initiator and remote site B primary link falls over and comes back up, the vpn connection stays up on secondary link and does not come backup on the primary. The only way to force the ipsec tunnel back on the primary link is by clearing it on the HQ site A firewall. I have attached a word document file to illustrate the setup.

HQ site A firewall crypto map

crypto map remote_B 20 match address ACL_VPN_2
crypto map remote_B 20 set peer
crypto map remote_B 20 set transform-set TRANSFORM_B

Remote site B firewall crypto map

crypto map HQ_Site_A 10 match address ACL_VPN_1 
crypto map HQ_Site_A 10 set peer
crypto map HQ_Site_A 10 set transform-set TRANSFORM_A
crypto map HQ_Site_A interface outside
crypto map HQ_Site_A interface backup

This causes a problem because even though the tunnel is still up on the remote site B secondary link, the configured ip sla and tracking has kicked and installed default route via primary link's gateway address, so no traffic is passing through the tunnel.

But I noticed this happens mostly when the HQ site A firewall is the initiator of the tunnel and remote site B is the responder.

I want to know if there is a way to force HQ A firewall to be a responder permanently or if there is any other suggestion on how I can solve this problem?

Or whether the Ipsec vpn can track the state of the remote site's primary and secondary link so as to know when to fallback to primary link (the tracking and ip sla works ok with routing of internet traffic but not for the vpn).


CreatePlease to create content