I am using tracking on the default routes to help track the failover for the VPN tunnel. However when the interface comes back up, the VPN tunnel does not failback to it. Is there something that I need to put in for the VPN tunnel to failback?
Perhaps if you provide some config details about how normal routing is configured, how you track, and how you configure failover and failback, then we might be able to give better advice about how to solve this problem.
I am using OSPF and SLA tracking. When the primary interface comes up the l2l vpn does not end on the secondary interface and start on the primary interface. If I do a clear crypto sa, then the vpn tunnel will come up on the primary interface
ip sla monitor 1
type echo protocol ipIcmpEcho xxx.xxx.xxx.xxx(Primary interface IP address)
ip sla monitor schedule 1 life forever start-time now
What you have posted looks like a fairly effective implementation to manage routes so that the primary static default route is over Dialer0 and if there is a failure it should fail over to Dialer1.
But I still do not understand well what your problem is. In the original post I thought I understood that you have configured an IPSec VPN and that you wanted it to take a backup route if the primary failed. In your more recent description it sounds more like there are two different tunnels. Is that the case? Perhaps you can supply some more detail about how the IPSec is set up and what the problem is.
The failover for the VPN works now (but did not when I posted this) however when the primary comes back up then the VPN tunnel does not fail back automatically, is this something that should happen automatically or not? Is there something else I need to add to the configuration for this to happen?
Thank you for your replies, sorry for the confusion.
I am glad that the failover is now working. I am guessing that it should not automatically fail back. I am guessing that the default is to wait for the IPSec SA to expire (lifetime expiration) for it to fail back. But since I do not know how you have it configured it is just a guess at this point.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...