I was running into issues when deploying some VPN redundancy between 1 main site and 2 remote sites all using ASA to terminate the VPN. Each location has a primary internet connection and a backup internet connection. When the primary connection at the main site fails the backup vpn tunnels come up without an issue. However, when the remote sites primiary internet connection fails tunnels come up from a brief moment and then procede to up and down sporadically.
What I have done in each crypto map is specificed a second peer address at both the main site and the remote sites. I've also enabled the crypto map and isakmp on both outside interfaces. The isakmp state I keep getting during failover is: MM_WAIT_MSG2.
All ASA's are 5505's, however the two remote sites do not have a security plus license. Instead they are using the no forward interface command on the secondary ISP VLAN to the Primary ISP VLAN. This has seemed to work well so far. Solutions I've looked at so far seem to be point at DPD(dead peer detection) or setting the connection type at the head end to originate only. I did try setting the head end to originate only, but this was not possible because the crypto map is associated with both outside interfaces.
I do know that the actual crypto map settings are correct, because they come up on the main internet connection without an issue. Please let me know if you have any suggestions, all are appreciated.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...