ASA5520 failover problem

jworleyjworley Member Posts: 39 ■■□□□□□□□□
Actually, the failover works great! It works seamlessly. I'm pretty sure the problem is the Checkpoint firewalls on the other end of these tunnels icon_rolleyes.gif

anywho, here's the background:
Our main firewall (ASA5520) has an active/standby failover setup.
Said firewall has NUMEROUS VPN connections.
Two of those VPN connections go to another company. Their firewall devices are CheckPoint.


Today, both connections to that company dropped. I had no idea why. I scrambled for a while checking configs and such with no luck. So finally, I walk down to the server room and look in the rack. Our primary ASA was actually on standby, while the secondary was active. ... I flipped that ASA back to active, and ... EUREKA! ... the tunnels built and all was well.

My question is, why did this happen? When the failover occurred, all other tunnels stayed up. The only variation is these two tunnels that were down happened to have CheckPoint firewall peers. Any known issues with this?

thanks, guys/girls! :)
"I asked, 'Why do you bring a gun to a UFO sighting?' Guy said, 'Way-ul, we didn wanna be ab-duc-ted.' If I lived in Fife, Alabama, I would be on my hands and knees every night praying for abduction" -Bill Hicks

Comments

  • larkspurlarkspur Member Posts: 235
    a good place to start is

    sh failover ?

    examine these commands and I believe you will find your answer. I like to know when my firewalls failover, so I have setup an e-mail notification.

    when your ASA failover the vpn tunnels have to reestablish. a sh cry isa sa to check phase 1 and sh cry ipsec sa to check phase 2. Sometimes it is neccessary to clear crypto isa sa and ipsec to get the tunnels working correctly.

    hth.
    just trying to keep it all in perspective!
  • cisco_troopercisco_trooper Too many Member Posts: 1,441 ■■■■□□□□□□
    larkspur wrote: »
    when your ASA failover the vpn tunnels have to reestablish. a sh cry isa sa to check phase 1 and sh cry ipsec sa to check phase 2. Sometimes it is neccessary to clear crypto isa sa and ipsec to get the tunnels working correctly.

    Is this true even in stateful failover configuration on the ASAs???
Sign In or Register to comment.