Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5087
Views
0
Helpful
6
Replies

ASA 5505 VPN Failover over WAN failover.

John Peterson
Level 1
Level 1

‎10-10-2011 05:23 AM - edited ‎03-11-2019 02:35 PM

Hi,

Hopeing someone can point me in the right direction, I have a ASA 5505 which is connected to a remote site which also has a ASA 5505 over a L2L VPN tunel. One of the sites has a WAN failover configured with two ISP which is working successfully.

But, when the WAN connection fails over to the backup connection the VPN link breaks as the peer site IP address has changed and the VPN can not establish a connection.

Would it be possible to configure a VPN failover so that when the connection failovers so will the VPN tunnel?

Thanks

Labels:
0 Helpful
6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

‎10-10-2011 08:40 AM

John

When you use the "crypto map   set peer x.x.x.x" you can specify multiple peer IPs to use as a fallback list ie. it tries the first IP and if that fails then the next etc. So you could try -

crypto map set peer x.x.x.x y.y.y.y  <--- where y.y.y.y is the backup Wan IP.

Jon

0 Helpful

John Peterson
Level 1
Level 1
In response to Jon Marshall

‎10-10-2011 09:02 AM

Hi Jon,

Would it be also be possible to specfic different interfaces in the crypto map i.e. crypto map l2lsites interface outside and crypto map l2lsites interface outside2.

As the WAN failover would switch over to outside2?


0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to John Peterson

‎10-10-2011 12:10 PM

Yes you can apply different crypto maps to different interfaces if that is what you are asking but you would need to make sure that if you wanted the traffic to go via outside2 for failover then traffic is routed that way on the ASA.

Jon

0 Helpful

John Peterson
Level 1
Level 1
In response to Jon Marshall

‎10-11-2011 12:08 AM

Thanks,

would the ASA choose the next interface is it can't connect.

I'm looking to do something like this:

crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto map l2lsites 10 match address acl-l2l-ny
crypto map l2lsites 10 set peer XXX.XXX.XXX.XXX
crypto map l2lsites 10 set transform-set esp-3des-md5
crypto map l2lsites interface outside

crypto map l2lsites interface outside_failover

crypto isakmp enable outside

crypto isakmp enable outside_failover

In which case when the internet connection fails over the VPN the ASA would know that outside is down and then its try outside_failover.

I'm right in thinking this is how it would work?

0 Helpful

John Peterson
Level 1
Level 1
In response to John Peterson

‎10-12-2011 06:21 AM

Also how about the tunnel group?

0 Helpful

Peter Long
Level 1
Level 1

‎12-12-2011 07:02 AM

I managed to get it working, like so

Cisco ASA/PIX 8.x: Redundant or Backup ISP Links with VPNs

Pete

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card