[c-nsp] ASA IPSec VPN redundancy - locks up on return of main link

[Jay Hennigan]

Scenario:

IPSec LAN-to-LAN tunnel between two ASA appliances, both running 7.2(3).

Remote site has an E-1 connection and a backup via DSL, set up with 
track commands for default routes.  Tracking is working as verified by 
Internet traffic switching successfully to backup link and back.

VPN traffic fails over normally to backup link.  When primary link is 
restored, VPN traffic stops flowing until ISAKMP is manually cleared.

Failing the backup connection will also restore connectivity by the main 
link.

This appears to be because there is already an ISAKMP SA on the backup 
link, and hence the primary ISAKMP SA refuses to negotiate to the same 
peer.  However, the routing is trying to go to the main link but there 
is no SA, so traffic fails.  We've tried playing with DPD, etc. to no 
avail.

Possible options seem to be somehow tying the ISAKMP to the track 
command or establishing a second SA to the same peer that stays up.

A clue or a pointer to one would be appreciated.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV