Client is using IAP +VPN as a home office / vpn solution for users. Has been working for years on a single 3400 controller. They have just replaced the single 3400 with a redundant pair of 7205 controllers, using VRRP for master redundancy. VRRP is tested and works. The VIP fails over and back as expected.
They are NATing a single public IP address to the VIP of the controllers.
When the preferred master is up, everything works as expected. IAP +VPN connects, no problems.
But when they fail over to the backup master, the IAP +VPN never connects.
The firewall logs show the traffic being passed to the VIP.
"show datapath session" on the backup master seems to show udp 4500 reaching the controller.
"show iap table" lists all branches as "down".
"show crypto isakmp sa" and "show crypto ipsec sa" return no results.
Called Aruba TAC but no engineers were available. Our maintenance window expired with no callback :/
Anyone have any ideas why failover isn't happening for the instant VPN?