05-11-2007 05:04 AM - edited 02-21-2020 01:31 AM
We have a site which wants to connect back to our main office from an ASA running v7.2 via two different IPSec tunnels - one on the ASA's outside interface and one on its dmz. They want to set it up so that if the tunnel on the outside interface goes down, traffic will automatically reroute through the tunnel on the dmz. The equipment on the other end (the main office) is a Pix 525 running v7.2.
One of my coworkers said this could be done using dead-peer detection, but had no details on how to set it up. Can anyone point me to a document that shows how to configure this? I have so far been unable to find one on cisco.com.
05-11-2007 05:22 AM
For pix and ASA it is...
isakmp keepalive
ASA
PIX
http://cisco.com/en/US/docs/security/pix/pix63/command/reference/gl.html#wp1027312
05-11-2007 06:38 AM
Thanks. What I also need is a link showing an example of how to set up failover between two IPSec tunnels on different interfaces using DPD. That is what I have so far been unable to locate. Does anyone have a link for that?
05-11-2007 07:24 AM
I have always used dpd for a remote site with 2 peers and 1 interface, not 1 peer and 2 interfaces. If the remote site lost contact with first peer it will move to the next peer in the list. But making the ASA route to a particular peer depending upon whether it is alive or not sounds like another story.
It sounds to me like the new "Backup ISP" option of ASA 7.2, or object tracking in the IOS world, is what you are looking for. You could have a specific route to the peer on the outside interface dependant upon whether it could ping the peer. If it could not it would put in the floating static route which would route to that peer out the DMZ interface, therefore bringing up the tunnel. I'm not saying it's not possible with dpd specifically, I just don't know anything about it, maybe someone else can chime in on that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide