Solved: ASA 5508 - VTI site to Site tunnels

it_guy · ‎03-21-2019

We have a few sites in out environment all connected with site to site tunnels on our ASA's all using VTI routed ipsec tunnels. This is all using BGP on the back end for routing. This has been working great. We are adding a second ISP at office A. The problem I'm having is adding redundant vpnconnections for WAN failover at Office A. The ASA won't allow dual ipsec tunnels to the same destination.

My question is how would this be accomplished with Cisco gear? I see in the documentation is to add second IP's at the other sites. This seems to me to be a waste of resources. Are there alternates to this? Maybe a way to setup a tunnel to dns so the failover is done at that level?

netowrk is something like:

office A:

WAN1: 11.11.11.11

WAN2: 12.12.12.12

Office B:

WAN: 13.13.13.13

current S2S tunnnel: Office A Wan1 < - > Office B WAN

can't add tunnel two: Office A Wan2 < - > Office B WAN

Rob Ingram · ‎03-21-2019

Hi,
You cannot specify 2 tunnel destinations under the 1 tunnel interface, but you can define 2 tunnel interfaces on both Site A and Site B ASA. On Site A ASA's you would specify a different source interface on each tunnel interface.

You would also need to define a tunnel-group on Site B ASA for the WAN2 IP address of Site A.

HTH

View solution in original post

Rob Ingram · ‎03-21-2019

Hi,
You cannot specify 2 tunnel destinations under the 1 tunnel interface, but you can define 2 tunnel interfaces on both Site A and Site B ASA. On Site A ASA's you would specify a different source interface on each tunnel interface.

You would also need to define a tunnel-group on Site B ASA for the WAN2 IP address of Site A.

HTH