Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
922
Views
10
Helpful
6
Replies

IPsec Failover

Go to solution
sumy756
Level 1
Level 1

‎06-06-2022 01:35 AM

Hello community,

 

I have created a ipsec with two ASA both location having 2 ISP link. I have down NAT for both side.

 

what command need to put on both firewall that will activate failover. once primary ISP down them secondary.

should be up..

 

Sumy,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jitendra Kumar
Spotlight
Spotlight

‎06-06-2022 01:40 AM

Hi Sumy,

 

Please if the tunnel is up and working fine use the below command for failover.

 crypto map outside_map 3 set peer 8.8.8.8 2.2.2.2 

 keep primary IP first then secondary ip.

 

Thanks,

Jitendra

Thanks,
Jitendra

View solution in original post

6 Replies 6

Go to solution
Sheraz.Salim
VIP
VIP

‎06-06-2022 01:40 AM - edited ‎06-06-2022 01:43 AM

to check which firewall is active and which one is passive you give command on the ASA "Show failover" or "show failover | i host"

 

Failover will actiavte itself if you have put the interface monitoring on. you can check this "show monitor interface"

 

Normally the interface come up as default when you configure the failover apart from sub-interface you have to bring it in as monitoring.

 

"I have created a ipsec with two ASA both location having 2 ISP link. I have down NAT for both side."

for this you need to configure ip sla for it to work.

Configure the ASA for Redundant or Backup ISP Links 

please do not forget to rate.
0 Helpful

Go to solution
sumy756
Level 1
Level 1
In response to Sheraz.Salim

‎06-06-2022 01:48 AM

@Sheraz.Salim for the reply. Having standalone ASA,s both sides. no failover.

 

 

0 Helpful

Go to solution
Jitendra Kumar
Spotlight
Spotlight

‎06-06-2022 01:40 AM

Hi Sumy,

 

Please if the tunnel is up and working fine use the below command for failover.

 crypto map outside_map 3 set peer 8.8.8.8 2.2.2.2 

 keep primary IP first then secondary ip.

 

Thanks,

Jitendra

Thanks,
Jitendra

Go to solution
Sheraz.Salim
VIP
VIP
In response to Jitendra Kumar

‎06-06-2022 01:45 AM - edited ‎06-06-2022 01:49 AM

sorry i did not read the question properly,

 

if you running ipsec on version IKEV2 in that case you need to be on ASA version 9.14. failover ipsec for ikev2 is support in version 9.14

 

here is the link for ASA Multi-Peer IKEv2 VPN 

please do not forget to rate.
0 Helpful

Go to solution
sumy756
Level 1
Level 1
In response to Jitendra Kumar

‎06-06-2022 01:51 AM

thanks, Cool Correct one... I have tested...

 

 

Sumy,

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎06-06-2022 07:42 AM

this design is SubOptimal, 
ASA-1 use Secondary  but ASA-2 still use Primary 
the traffic will drop.
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212478-configure-asa-virtual-tunnel-interfaces.html

this best solution from Cisco.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card