Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1142
Views
5
Helpful
1
Replies

Cisco ASA site to site VPN - 1 site with 2 ISP, 1 site single

Go to solution
Stanly
Level 1
Level 1

‎12-08-2018 11:27 AM - edited ‎02-21-2020 08:33 AM

Hi all,

 

Im looking at something interesting and would like to have your opinion on this.

I have 2 sites , to both these sites there will be remote VPN users. On top of this there will be a replication requirement.

now at the sites, for 1 site ISP confirmed a 100% SLA on 1 Gig Internet link as they own the DC they can provide this.

at site 2 I have only 1 ISP but they don't provide 100% availability due to this Im planning to have 2 Internet service providers.

now my confusion is how to configure these units, at site 1 it looks simple to create remote VPN and site to site configurations.

 

at site 2 where I'm planning for 2 ISP's how do I configure? These are the points i'm thinking/confused

1. Both ISP's will provide 2 separate set of public IPs 

2. How do remote users connect, to which public IP? in  the event of a link failure and 2nd link active?

3. How would the site to site configuration work ?

4. Should i configure 2 site to site configurations and enable tracking so that 1 is always down? and when the SLA tracking in place the 2nd link will establish site to site VPN with site 1?

 

Do you have any suggestions on this scenario?

Thanks

BS

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-09-2018 04:08 AM - edited ‎12-09-2018 04:14 AM

For remote access VPN users you can put a secondary FQDN for the location with two ISPs. Just get a certificate that has the second FQDN as a Subject Alternative Name (SAN) and it will work seamlessly for the remote access users. You then put that second FQDN in the connection profile and the clients will fail over to it automatically in the event that the first one isn't reachable.

 

For the site-site, make two tunnel groups with the less-preferred one second in the cryptomap order. If the remote site cannot establish a VPN using the first address it will try the second one.

 

The ip sla tracking tied to your route statement should be used to swing the default route from one ISP to the other. ASAs generally don't do a very good job load balancing (big understatement - they barely do it at all except in some corner cases where PBR is effective or where you can leverage ECMP).

View solution in original post

1 Reply 1

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-09-2018 04:08 AM - edited ‎12-09-2018 04:14 AM

For remote access VPN users you can put a secondary FQDN for the location with two ISPs. Just get a certificate that has the second FQDN as a Subject Alternative Name (SAN) and it will work seamlessly for the remote access users. You then put that second FQDN in the connection profile and the clients will fail over to it automatically in the event that the first one isn't reachable.

 

For the site-site, make two tunnel groups with the less-preferred one second in the cryptomap order. If the remote site cannot establish a VPN using the first address it will try the second one.

 

The ip sla tracking tied to your route statement should be used to swing the default route from one ISP to the other. ASAs generally don't do a very good job load balancing (big understatement - they barely do it at all except in some corner cases where PBR is effective or where you can leverage ECMP).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card