Cisco ASA Site to Site VPN Tunnel Redundancy Query

SHABEEB KUNHIPOCKER · ‎09-06-2023

Hello,

We have two data centers (HQ and DR) and our customers have two data centers (HQ and DR).
We have a requirement to create VPN tunnels from our data centers to the customer data centers
with maximum redundancy. My initial plan was to create total 4 tunnels as below.

Tunnel A from Local HQ --> Remote HQ
Tunnel B from Local HQ --> Remote DR
Tunnel C from Local DR --> Remote HQ
Tunnel D from Local DR --> Remote DR

The VPN firewall is Cisco ASA on all the sites (our sites and the customer sites). The issue that I am seeing
with this design is with the tunnel selection. For example when traffic reaches local HQ ASA, how does it can choose
which tunnel to send the traffic when the source and destinations are the same. I have doubt as well whether we can create
4 tunnels as the source and destination are the same. Please advise and suggest the best design approach for the requirement.

Thanks

Shabeeb

giovanni.augusto · ‎09-06-2023

if the 4 ASAs are relatively recent you could use VTIs and exchange routes between them, at that point is all about setting the right BGP metrics to favor traffic flow as your design choice.

SHABEEB KUNHIPOCKER · ‎09-06-2023

Hello Giovanni,

Thanks a lot for your response. The issue is that the remote entity will not be flexible enough to run BGP with us. They would be preferring static routes.