In case anybody is interested: Managed to find the answer eventually. Stateful failover is not supported for VPN (from TAC), so the SA's must be cleared every time a change of active Pix occurs. Had the right idea with th lifetime of the CA's but applying it incorrectly. Have managed to get the devices to do this automatically by using isakmp keepalive 120 (crypto isakmp keepalive 120 for routers). This means there is some extra overheads as the SA's are cleared every 2 minutes, but at least the VPN re-establishes itself.
Gaz ""Gaz"" wrote in message news:[EMAIL PROTECTED]... > Hi all, > > Anybody got any experience using 3DES to Pix Failover. > > I have a 2621 with 3DES using VPN to Pix 515 Failover bundle. > > All works fine after initial boot. Fails over to secondary Pix when I kill > the Primary. > > If I try to fail back to Primary, it does not come back up. Does not seem to > pick up the SA. Clear SA on the router brings it back up. > Knocked the liftime down to 60 seconds in the ISAKMP policy, but seems to > have no effect. > > Failover is working fine, it's just the VPN that doesn't come back up. > > Pix is 6.2, router is 12.1(5)T12. > > Any similar experiences? > > More details to follow if there are any bites :-) > > > Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46900&t=46813 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
