The remote site B has an ASA firewall connected to a primary and secondary link with a site-to-site vpn that terminates at HQ Site A ASA firewall. The remote site B firewall is configured with ip sla and tracking which works ok during failover but whenever HQ site A is the tunnel initiator and remote site B primary link falls over and comes back up, the vpn connection stays up on secondary link and does not come backup on the primary. The only way to force the ipsec tunnel back on the primary link is by clearing it on the HQ site A firewall. I have attached a word document file to illustrate the setup.
HQ site A firewall crypto map
crypto map remote_B 20 match address ACL_VPN_2 crypto map remote_B 20 set peer 18.104.22.168 22.214.171.124 crypto map remote_B 20 set transform-set TRANSFORM_B
This causes a problem because even though the tunnel is still up on the remote site B secondary link, the configured ip sla and tracking has kicked and installed default route via primary link's gateway address, so no traffic is passing through the tunnel.
But I noticed this happens mostly when the HQ site A firewall is the initiator of the tunnel and remote site B is the responder.
I want to know if there is a way to force HQ A firewall to be a responder permanently or if there is any other suggestion on how I can solve this problem?
Or whether the Ipsec vpn can track the state of the remote site's primary and secondary link so as to know when to fallback to primary link (the tracking and ip sla works ok with routing of internet traffic but not for the vpn).
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...