Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
888
Views
0
Helpful
3
Replies

ASA VPNS to the same subnet

dinesh2001
Level 1
Level 1

‎02-27-2013 09:00 AM - edited ‎03-11-2019 06:06 PM

Hi All,

I'd just like to get your opinion on the a weird set up.

I have site A and site B which each have a ASA each. I create 2 VPNS from site A to site B.

My questions is. which VPN would be used for sending traffic? What would be the default behaviour of the ASA in terms of selecting which tunnel it would choose? would it load share?

I dont want to use NAT etc, I just want to know what would happen for lab interest. (My ASA is on loan so I cant test it).

I'm interested as in future I want to make VPN 1 primary and VPN2 as backup.

I look forward to you response

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎02-27-2013 09:35 AM

Hi,

I dont think you can have 2 L2L VPNs between the same 2 VPN endpoints (interfaces/IP addresses)

I guess you would need alot more than just the ASAs to create a redundant connection/routing between 2 sites while using L2L VPN.

Perhaps have

  • 2 Internet connections per site
  • 2 ASAs per site
  • 2 L2L VPNs between the sites
  • Use routers on each site behind the ASAs and use GRE+Dynamic routing to select which VPN connection is used.

I must admit I havent had to do even one of these setups as we connect customer networks/sites through MPLS network and dedicated connections. Might be something interesting to lab though at some point.

- Jouni

0 Helpful

dinesh2001
Level 1
Level 1
In response to Jouni Forss

‎02-27-2013 11:29 AM

Hi Jouni,

Thanks for your reply, Let me tweak the question a little. What if we had 1 ASA at site A, and 2 ASAs at site B. We woud then create 2 VPN tunnels:

tunnel1:     Site A ASA1 to Site B ASA1

tunnel2:     Site A ASA1 to Site B ASA2

So the problem is that Site A only has 1 ASA but with 2 VPN tunnels to the same subnet at Site B. How can we find out which VPN would be taken from Site A to Site B. There are 2 VPNS on Site A ASA so just wondering which one it would take to reach site B??? ... just a matter of interest rather than anything else.

0 Helpful

Jack Leung
Level 1
Level 1
In response to dinesh2001

‎02-27-2013 12:32 PM

So Site A ASA has a tunnel to each of Site B ASAs as peers and each peer encryption domain has the same subnet?  This will depend on the order of the crypto maps you have configured because as soon as the interesting traffic is matched it will fire up that tunnel and it stops there.  Is there any reason why you can't have one VPN peer as active and configure the second peer as the standby?  I'm assuming you're trying to achieve some level of redundancy with 2 active VPN tunnels but I don't believe that will work with ipsec VPNs.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card