ASA sitting behind two routers configured for VRRP

Jason Van Assen · ‎11-11-2014

Hi,

I have a site currently setup with a cisco router provided by an ISP with an ASA sat behind the router configured for multiple site to site VPN's.

I am looking at adding further redundancy into this site by installing a secondary internet line, going into a secondary router and then VRRP configured in-between the routers.

My question is will this effect the ASA in anyway, will the Site to Site VPN's drop out at all, or will there be any confusion for the ASA.

I cant think of any reason why this would effect the ASA even in the event of the primary router going down and a failover happening. However I thought I would try and run this past some people who are better experienced with ASA's

Karsten Iwen · ‎11-11-2014

For your central ASA that won't be a major problem. For your spoke it could be a problem. The spoke will have two VPN peers configured, one on each ISP. But through VRRP, only one of these peers will actually work. That is because traffic sent through the secondary ISP will be answered by the ASA and sent to the active router on the primary ISP. The NAT on that device will change the address to the first peer-adress and the traffic gets invalid.

A perhaps better solution could be to migrate the VPNs to the routers. Then you won't have the mentioned problem.

Jason Van Assen · ‎11-12-2014

Thanks for your reply, however I don't quite follow. Perhaps I didn't give enough information.

I will not have two VPN peers configured on the ASA behind the two routers as we will use VRRP and this ASA will continue to use the same public IP range even when going out through the backup line.