Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1114
Views
10
Helpful
5
Replies

5525-X - VPN failover

donmarlooon
Level 1
Level 1

‎10-14-2018 08:30 PM - edited ‎02-21-2020 08:21 AM

Good day everyone,

 

I would like to ask if it is possible to configure site to site vpn on an active-standby firewall reaching 1 peer but using two different interfaces outside1(isp1) and outside2(isp2). Our goal is to have site to site vpn on both interfaces or a failover vpn wherein when isp1 goes down still we have isp2 for site to site vpn.

 

Our setup before was we have two standalone firewall that caters vpn to 1 peer via fw1(isp1) and the other firewall that cater vpn to same peer but via firewall2 (isp2). Of course, it won't have any problem since the 2 firewalls are standalone. And decided to buy 2 new firewall  replaced the existing and change the setup that two firewalls will be active-standby which acts as a 1 firewall logically that has failover.

 

Is it possible to have site to site vpn same way from the previous setup that both outside1 and outside2 interface have 2 simultaneous vpn? Our setup have different interesting traffic for outside1 and for outside2 but will have one single peer. 

 

I don't know if this makes sense to you guys but I hope it would.

Thank you.

0 Helpful
5 Replies 5

Mohammed al Baqari
Level 11
Level 11

‎10-14-2018 10:39 PM

Yes it is possible but you control this through routing instead of VPN
configuration.

For example you configure two default routes with trackers to detect
failure on isp1 and point to isp2. This will automatically failover vpn as
vpn is triggered by having interesting traffic exiting the vpn interface
and match interesting traffic.

donmarlooon
Level 1
Level 1
In response to Mohammed al Baqari

‎10-14-2018 11:02 PM

Hi Sir, Thanks for the immediate response. I want to inform you that I already have PBR configured with the assignment of subnets to use isp 1 or isp2 but I think this PBR is irrelevant with the things that you are talking about.
Anyway, so you mean to say if trackers are configured even if I don't configured VPN on outside2 interface, it is automatically transferred on outside2 interface? or should I still configure vpn on outside2 interface? Because I have already tried configuring same peer on outside2 but a lot of error and it overwrites the existing on outside1 since same peer ip.
I'm sorry, I hope you get my point. It is my first time handling this kind of setup. Thanks a lot
0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to donmarlooon

‎10-14-2018 11:09 PM

Just add the same crypto map to the same interface. Not much config

cshackel77
Level 1
Level 1
In response to donmarlooon

‎10-15-2018 10:38 AM

You have to configure the tunnels and nats/exemptions, crypto sets, match lists, etc on both interfaces of the head end.  your remote side peers will need to specify the peer IPs of each outside interface of your headend asa in order of preference. 

0 Helpful

mkazam001
Level 3
Level 3

‎11-03-2018 04:30 PM

really good explanation here:

https://community.cisco.com/t5/security-documents/dual-isp-implementation-on-asa/ta-p/3144475

hope that helps.

azam

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card