diff --git a/agent_based/cisco_vpn_tunnel.py b/agent_based/cisco_vpn_tunnel.py
index 9b49333fca1388e0eba5166461a13dbfc6468955..b38d87556809a052c96067087017cbe959163b3a 100644
--- a/agent_based/cisco_vpn_tunnel.py
+++ b/agent_based/cisco_vpn_tunnel.py
@@ -15,6 +15,7 @@
 # 2018-02-16: readded tunnel alias
 # 2018-07-11: added parameter for missing IPSec SA, changed 'parsed' to use peer ip as index
 # 2021-08-03: rewritten for CMK 2.0
+# 2021-11-03: fix negative vpn active tine
 #
 # snmpwalk sample
 #
@@ -117,6 +118,7 @@ def _tunnelstatus(st: int) -> str:
 def _cisco_vpn_tunnel_render_ipv4_address(bytestring):
     return '.'.join([f'{ord(m)}' for m in bytestring])
 
+
 ###########################################################################
 #
 #  DATA Parser function
@@ -132,7 +134,7 @@ def parse_cisco_vpn_tunnel(string_table: List[StringTable]) -> Dict[str, IkeSa]:
     # summarize IPSec SAs, ASSUMPTION: except for counters all SA attributes are identical per IKE index
     for ike_tunnel_index, ike_tunnel_alive, active_time, hc_in_octets, in_pkts, in_drop_pkts, hc_out_octets, \
             out_pkts, out_drop_pkts in ipsec_tunnel_entry:
-        
+
         if ike_tunnel_index.isdigit():
             ipsec_sa = ipsec_sa_summary.setdefault(
                 ike_tunnel_index,
@@ -154,7 +156,6 @@ def parse_cisco_vpn_tunnel(string_table: List[StringTable]) -> Dict[str, IkeSa]:
             nego_mode in ike_tunnel_entry:
 
         if index.isdigit():
-            # if int(nego_mode) == 2:  # drop agressive mode tunnel, likely Remote Access
             remote_addr = _cisco_vpn_tunnel_render_ipv4_address(remote_addr)
             if remote_addr.split('.') != 4:
                 remote_addr = remote_value
@@ -183,6 +184,7 @@ def parse_cisco_vpn_tunnel(string_table: List[StringTable]) -> Dict[str, IkeSa]:
 
     return vpntunnel
 
+
 ###########################################################################
 #
 #  Inventory function
@@ -222,6 +224,10 @@ def check_cisco_vpn_tunnel(item, params, section: Dict[str, IkeSa]) -> CheckResu
         yield Result(state=State(tunnel_not_found_state), summary='VPN Tunnel not found in SNMP data')
         return
 
+    # check if tunnel lifetime < 0, happens on asa failover
+    if tunnel.active_time < 0:
+        tunnel.active_time = tunnel.active_time * -1
+
     yield from check_levels(
         value=tunnel.active_time,
         label='IKE uptime',
@@ -250,7 +256,7 @@ def check_cisco_vpn_tunnel(item, params, section: Dict[str, IkeSa]) -> CheckResu
 
     ]:
         try:
-            value = get_rate(value_store, f'cisco_vpn_tunnel.{key}.{rate_item}', now_time, value,  raise_overflow=False)
+            value = get_rate(value_store, f'cisco_vpn_tunnel.{key}.{rate_item}', now_time, value, raise_overflow=False)
         except GetRateError:
             raise_ingore_res = True
             value = 0
@@ -308,6 +314,7 @@ def check_cisco_vpn_tunnel(item, params, section: Dict[str, IkeSa]) -> CheckResu
     else:
         yield Result(state=State(missing_ipsec_sa_state), notice='No IPSec sa found')
 
+
 ###########################################################################
 #
 #  Check info
@@ -373,7 +380,7 @@ register.check_plugin(
     },
     check_function=check_cisco_vpn_tunnel,
     check_default_parameters={
-        'state': 3,    # default state for tunnel not found
+        'state': 3,  # default state for tunnel not found
         'missing_ipsec_sa_state': 1,
         'tunnels': [],  # list of tunnel specific not found states ('<ip-address>', '<alias>', <state>)
     },
diff --git a/cisco_vpn_tunnel.mkp b/cisco_vpn_tunnel.mkp
index 0398d590158d29b061508cfcb405ff3c613c9ed1..93fbe7991a96d9fbcd3e8279071b102f33f51103 100644
Binary files a/cisco_vpn_tunnel.mkp and b/cisco_vpn_tunnel.mkp differ
diff --git a/packages/cisco_vpn_tunnel b/packages/cisco_vpn_tunnel
index cbca0d53473ea3e2807517ebae6f71f091cec43b..6b859d52a7d19b416f039422c99ded8e841c2d4b 100644
--- a/packages/cisco_vpn_tunnel
+++ b/packages/cisco_vpn_tunnel
@@ -11,7 +11,7 @@
  'name': 'cisco_vpn_tunnel',
  'num_files': 3,
  'title': 'Monitor Cisco VPN Tunnel',
- 'version': '20210803v.0.2',
+ 'version': '20210803.v0.2',
  'version.min_required': '2.0.0',
- 'version.packaged': '2021.07.14',
+ 'version.packaged': '2021.09.20',
  'version.usable_until': None}
\ No newline at end of file
diff --git a/web/plugins/wato/cisco_vpn_tunnel.py b/web/plugins/wato/cisco_vpn_tunnel.py
index c298d92d0a8c1154693ce0178191a29fcace014e..c1875327c05c1a0b594eb33e0a5328630a2a0781 100644
--- a/web/plugins/wato/cisco_vpn_tunnel.py
+++ b/web/plugins/wato/cisco_vpn_tunnel.py
@@ -90,7 +90,7 @@ rulespec_registry.register(
 
 def _valuespec_discovery_cisco_vpn_tunnel():
     return Dictionary(
-            title=_("VPN Tunnel discovery"),
+            title=_('VPN Tunnel discovery'),
             elements=[(
                 'discover_aggressive_mode',
                 FixedValue(
@@ -106,7 +106,7 @@ def _valuespec_discovery_cisco_vpn_tunnel():
 rulespec_registry.register(
     HostRulespec(
         group=RulespecGroupCheckParametersDiscovery,
-        match_type="dict",
-        name="discovery_cisco_vpn_tunnel",
+        match_type='dict',
+        name='discovery_cisco_vpn_tunnel',
         valuespec=_valuespec_discovery_cisco_vpn_tunnel,
     ))