ASA5580 / SDM6.3(2) - Question about setting up resiliency for site to site VPN tunnels

sgonsalv · ‎12-09-2013

Hi Guys

Might sound like a basic question.

Some points:

0. We have 2 ASAs

1. We have setup a site to site VPN tunnel between our ASA (Monash) and the external site (BMC).

2. The inside interface is 130.194.9.209/28 on ASA1 and 130.194.9.210/28 on ASA2 (VLAN303)

3. The outside interface is 130.194.9.193/28 on ASA1 and 130.194.9.194 on ASA2 (VLAN302)

4 Our ASAs are configured in routed mode

5. The servers within our network that need to use this tunnel sit one router hop away from the ASA, i.e. the servers are not on a directly attached subnet to the ASA.

6. Due to 5 above, we've setup some host routes on the downstream router (which is one hop from the ASA), to point to the inside interface of our ASA (i.e. 130.194.9.209). Note here i've chosen to use ASA1 for testing.

My question is how do we setup a resilient setup where if ASA1 goes down traffic is routed via ASA2? At the moment because I'm using ASA1 for testing, the static routes on the downstream router which is one hop away points to the inside interface of ASA1. This works well. Also note, the other end points to ASA1 oustide IP as a peer.

Hope this makes sense.

Any help would be appreciated,.

thanks

Sheldon

Collin Clark · ‎12-10-2013

You have a couple of options. The first and the one I would suggest, is to use Reverse Route Injection (RRI). Your other option is to use tracking and/or IPSLA on the router to add/remove routes depending on reachability. On the remote end you'll need to add both 130.194.9.193 and 130.194.9.194 as VPN peers.

sgonsalv · ‎12-16-2013

Thanks for the info - very helpful.

Cheers

Sheldon