cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
924
Views
10
Helpful
6
Replies

IPsec Failover

sumy756
Level 1
Level 1

Hello community,

 

I have created a ipsec with two ASA both location having 2 ISP link. I have down NAT for both side.

 

what command need to put on both firewall that will activate failover. once primary ISP down them secondary.

should be up..

 

Sumy,

1 Accepted Solution

Accepted Solutions

Jitendra Kumar
Spotlight
Spotlight

Hi Sumy,

 

Please if the tunnel is up and working fine use the below command for failover.

 crypto map outside_map 3 set peer 8.8.8.8 2.2.2.2 

 keep primary IP first then secondary ip.

 

Thanks,

Jitendra

Thanks,
Jitendra

View solution in original post

6 Replies 6

to check which firewall is active and which one is passive you give command on the ASA "Show failover" or "show failover | i host"

 

Failover will actiavte itself if you have put the interface monitoring on. you can check this "show monitor interface"

 

Normally the interface come up as default when you configure the failover apart from sub-interface you have to bring it in as monitoring.

 

"I have created a ipsec with two ASA both location having 2 ISP link. I have down NAT for both side."

for this you need to configure ip sla for it to work.

Configure the ASA for Redundant or Backup ISP Links 

please do not forget to rate.

@Sheraz.Salim for the reply. Having standalone ASA,s both sides. no failover.

 

 

Jitendra Kumar
Spotlight
Spotlight

Hi Sumy,

 

Please if the tunnel is up and working fine use the below command for failover.

 crypto map outside_map 3 set peer 8.8.8.8 2.2.2.2 

 keep primary IP first then secondary ip.

 

Thanks,

Jitendra

Thanks,
Jitendra

sorry i did not read the question properly,

 

if you running ipsec on version IKEV2 in that case you need to be on ASA version 9.14. failover ipsec for ikev2 is support in version 9.14

 

here is the link for ASA Multi-Peer IKEv2 VPN 

please do not forget to rate.

thanks, Cool Correct one... I have tested...

 

 

Sumy,

this design is SubOptimal, 
ASA-1 use Secondary  but ASA-2 still use Primary 
the traffic will drop.
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212478-configure-asa-virtual-tunnel-interfaces.html

this best solution from Cisco.

Review Cisco Networking for a $25 gift card