Re: Backup vpn tunnels

netsec123 · ‎08-09-2007

Hi. We are using an ASA [failover pair] and tracking an interface so that we have Internet failover out a 2nd interface to another ISP. When the failover happens, we'd like the vpn tunnels to renegotiate using the backup internet interface to the 2nd ISP. IS this possible? THANKS!

smalkeric · ‎08-16-2007

I think you will have to do a NAT at some internet router in front of ASA when the traffic switched from primary to secondary (or when the primary fails), and remote ASA will have to point to two peer internet router. If one of the internet link fails, the traffic will be put on to the other internet link using HSRP. For the remote gateway to accept the traffic from the secondary gateway, the same crypto map on the remote gateway should point to both gateways. You will have to configure more than one peer on crypto map. Also the traffic has to be originated from remote side because on 7.x code having more than one peer on the crypto map, the tunnel would need to be initiated just from that specific peer.

rigoberto.cintron · ‎08-16-2007

What kind of Internet connections you have or will have?

Check this link:

ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

netsec123 · ‎08-16-2007

THANK YOU SO MUCH.

I think I got this licked on Wed.

Rough stuff.

Thanks!!!!

urixadmin · ‎03-20-2008

Hi Netsec,

Were you able to get this configured as desired? I ma in the proccess of trying to do a simlar thing. I have a VPN over ISP 1 on Firewall 1 to ISP 1 on Firewall 2, each at different site, I need the VPN to failover along with the Internet Link.

Thanks in advance...

netsec123 · ‎03-20-2008

I'm sorry... we never got this to work effectively....