ASA5520 failover problem

Actually, the failover works great! It works seamlessly. I'm pretty sure the problem is the Checkpoint firewalls on the other end of these tunnels

anywho, here's the background:
Our main firewall (ASA5520) has an active/standby failover setup.
Said firewall has NUMEROUS VPN connections.
Two of those VPN connections go to another company. Their firewall devices are CheckPoint.

Today, both connections to that company dropped. I had no idea why. I scrambled for a while checking configs and such with no luck. So finally, I walk down to the server room and look in the rack. Our primary ASA was actually on standby, while the secondary was active. ... I flipped that ASA back to active, and ... EUREKA! ... the tunnels built and all was well.

My question is, why did this happen? When the failover occurred, all other tunnels stayed up. The only variation is these two tunnels that were down happened to have CheckPoint firewall peers. Any known issues with this?

thanks, guys/girls!

Find more posts tagged with

Comments

larkspur

a good place to start is

sh failover ?

examine these commands and I believe you will find your answer. I like to know when my firewalls failover, so I have setup an e-mail notification.

when your ASA failover the vpn tunnels have to reestablish. a sh cry isa sa to check phase 1 and sh cry ipsec sa to check phase 2. Sometimes it is neccessary to clear crypto isa sa and ipsec to get the tunnels working correctly.

hth.

cisco_trooper

larkspur wrote: »

when your ASA failover the vpn tunnels have to reestablish. a sh cry isa sa to check phase 1 and sh cry ipsec sa to check phase 2. Sometimes it is neccessary to clear crypto isa sa and ipsec to get the tunnels working correctly.

Is this true even in stateful failover configuration on the ASAs???