Guides
Secure Access Help Center

Manage Network Tunnel Groups

Tunnels and tunnel groups are core concepts in managing connections between your data centers and Cisco Secure Access.

  • Secure Access enables fast, reliable, and secure private network connections to your applications through IPsec (Internet Protocol Security) IKEv2 (Internet Key Exchange, version 2) tunnels.
  • Network devices that are capable of establishing IPsec tunnels forward traffic to one of the Secure Access data centers where the tunnel head end is located.
  • User devices can read, write, and update private resources by setting up virtual private networks (VPNs) or zero trust access (ZTA) connections to Secure Access through these IPsec tunnels.
  • A network tunnel group provides the framework for establishing tunnel redundancy and high availability. Connect tunnels to the hubs within a network tunnel group to securely control user access to the Internet and private resources.

Failover for Branch Connections in Secure Access Data Centers

For redundancy, customer branch devices should connect to both the primary and secondary hubs in Cisco Secure Assess data centers. They must have tunnel auto-reconnect enabled on the branch device and have a failure detection mechanism like Dead Peer Detection (DPD), IP SLA, BGP timeout, depending on their use case.

Under normal conditions, traffic flows through the primary data center. If the primary data center fails, traffic will route through the secondary data center. Switchover time depends on the nature of the primary tunnel failure and various timers.

Primary Traffic Failover to Secondary

  • Failover can occur instantaneously if the Secure Access or customer branch device initiates and successfully terminates the IKE tunnel or BGP session. Note: Terminating the IKE tunnel will terminate BGP as well.

    • In cases of communication failure between the branch device and Secure Access, traffic will switch to the secondary only if:

      • The Secure Access side DPD timeout occurs or BGP hold timer expires.

      • The customer's DPD timeout will not be effective in this situation as that won't result in tunnel termination on the Secure Access side.

      • The shorter of Secure Access DPD timeout (156 seconds max, default and non-negotiable) and BGP hold timer (90 seconds, default and negotiable) will apply.

        For example: With a DPD timeout of 156 seconds and a BGP hold timer of 90 seconds, it would take at least 90 seconds for traffic to switch to the secondary tunnel.

Recommendations

  • Customers can initiate a tunnel termination when a traffic failure is detected via the primary.
  • If initiating a tunnel termination is not feasible, the BGP session can be terminated or customers can wait for the BGP hold timer to expire.

Manage Network Connections < Manage Network Tunnel Groups > Device Compatibility and Network Tunnels

Updated 2 months ago