Building site-to-Site ACTIVE / STANDBY tunnels

Thiruchelvam Thurairaj · ‎04-07-2015

Hi,

I keep it very simple.

We already have a Site-to-Site tunnel from our datacenter to one of our clients, and it's working fine.

Our client wants to build standby tunnel in case the Active tunnel goes down.

Both tunnels have different service providers in between, thus have different routes.

We are using a ASA 5510 for building the tunnels.

I am thinking like configuring an ICMP SLA kinda stuff. When the active tunnel PEER ping fails, ASA should automatically take the standby tunnel to maintain the flow. But I dont have any clue how to buld it.

Is it possible? Or are there any other possibilities? So which steps do I need to take to get it work?

Expecting an accurate answer.

David Johan Castro Fernandez · ‎04-07-2015

Hi,

On this case, you will need to indeed set up IP SLA, and backup routes:

- http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/70559-pix-dual-isp.html

Now you may do it to ping the other side of the tunnel or a Public IP address such as 8.8.8.8, so It will either monitor the status of the tunnel or the Internet connectivity.

Also if you set this up, on the remote peer side, you will need to set up another tunnel group for the backup public IP address with the same pre-shared key, also on the crypto map configuration, you will need to add the secondary IP public address as the secondary peer.

Let me know how it works out!

Please proceed to rate and mark as correct this post if it helped you!

David Castro,

Regards,