Cisco Cisco ASA 5510 Adaptive Security Appliance Troubleshooting Guide

that the EEM triggers, and event manager applets that define actions. You may add multiple events to each
event manager applet, which triggers it to invoke the actions that have been configured on it.

If you configure VPN with multiple peer IP addresses for a crypto entry, the VPN gets established with the
backup peer IP once the primary peer goes down. However, once the primary peer comes back, the VPN does
not preempt to the primary IP address. You must manually delete the existing SA in order to reinitiate the
VPN negotiation to switch it over to the primary IP address. 

ASA 1

crypto map outside_map 10 match address outside_cryptomap_20

crypto map outside_map 10 set peer 209.165.200.225 209.165.201.1

crypto map outside_map 10 set transform−set ESP−AES−256−SHA

crypto map outside_map interface outside

In this example, an IP site level aggregation (SLA) is used in order to monitor the Primary tunnel. If that peer
fails, the backup peer takes over but the SLA still monitors the primary; once the Primary comes back up the
generated syslog will trigger the EEM to clear the Secondary tunnel allowing the ASA to re−negotiate with
the Primary again.

sla monitor 123

 type echo protocol ipIcmpEcho 209.165.200.225 interface outside

 num−packets 3

 frequency 10

sla monitor schedule 123 life forever start−time now

track 1 rtr 123 reachability

route outside 209.165.200.225 255.255.255.0 203.0.113.254 1 track 1

event manager applet PREEMPT

 event syslog id 622001 occurs 2

 action 1 cli command "clear crypto ipsec sa peer 209.165.101.1"

 output none