IKEv2 Cisco ASA Single Peer Limit

Cisco has been hard at work bringing IKEv2 support to the ASA firewall, but the feature set still lacks an important item currently only available using IKEv1 on the ASA. This feature is “Multiple peers used for redundancy” and is configured with the “set peer” command. It sounds like they are considering this a bug but I’m not sure if or when they plan to release a fix. I noticed this on some of my ASA systems when I was migrating to a new public IP which was configured as a secondary failover IP on the remote ASA site-to-site crypto map entries. The tunnels came up quickly after the IP change, but they were all using IKEv1 because the remote systems had switched away from the primary (first) peer in the crypto map entry peer list. See the following Cisco article for details.

“Multiple peers used for redundancy is not supported with IKEv2 on the ASA. In IKEv1, for redundancy purposes, one can have more than one peer under the same crypto map when you enter the set peer command. The first peer will be the primary and if it fails, the second peer will kick in. Refer to Cisco bug ID CSCud22276”

The Cisco bug report CSCud22276 is available online only to registered Cisco customers. Here is a quote regarding suggested workarounds. The bug is listed as an “enhancement request” and is still open (no fix provided yet).

1) remove all but one peer from the crypto map
2) use IKEv1 instead of IKEv2”


About notesbytom

Keeping technology notes on WordPress.com to free up my mind to solve new problems rather than figuring out the same ones repeatedly :-).
This entry was posted in Networking and tagged , . Bookmark the permalink.

One Response to IKEv2 Cisco ASA Single Peer Limit

  1. Alex van der Wilk says:

    Hi Tom, in version 9.8 they introduced vti-tunnels. Redundancy is possible with ike2 than. I tested it and it worked.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s