Guest

Preview Tool

Cisco Bug: CSCvv13396 - ENH: Reducing the timer for the failover when using multiple VPN peers with ikev2

Last Modified

Sep 22, 2020

Products (1)

  • Sourcefire Defense Center

Known Affected Releases

6.6.0

Description (partial)

Symptom:
In earliest version than 6.6.0, multiple peers crypto map was available only with ikev1, part of the features of the 6.6.0 is the possibility to also use multiple peers crypto map with ikev2, nevrtheless, if the primary peer ip is unreachable,
the device takes about 2 minutes to failover to the secondary acting as initiator.
crypto map VPNMAP 10 set peer 1.1.1.1 2.2.2.2

Conditions:
IKEv2 Initiator Behavior
IKEv2 initiates session with a peer, say Peer1. If Peer1 is unreachable for 5 SA_INIT retransmits, a final retransmit is sent. This activity takes about 2 minutes.When Peer1 fails, the SA_INIT message is sent to Peer2. 
If Peer2 is also unreachable, session establishment is initiated with Peer3 after 2 minutes.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.