IPSec Tunnel Redundancy Solution

zekebashi · ‎08-28-2018

Hello,

We currently have a pair of ASA 5510 configured in a failver. We have a Site-To-Site IPSec VPN configured to a remote site. So, hardware-wise, we have a fail-over solution but not a logical one where if the IPSec tunnel were to fail then it would failover to another tunnel. Is there such solution? Are are any recommendations to mitigate IPSec Tunnel failures provided that the primary ASA and the link to the ISP are operational?

Thanks in advance.

~zK

Rob Ingram · ‎08-28-2018

Hi,
You can define a backup peer ip address on the crypto map, which would only be used if the first peer ip address is down. E.g. - "crypto map CRYPTO_MAP 5 set peer 1.1.1.1 2.2.2.2"

HTH

Ajay Saini · ‎08-28-2018

Hello,

Are you considering a scenario wherein you have dual ISP and you wish to fall back to second ISP for vpn tunnel if the primary ISP fails, then yes it is possible:

It will be similar to :

https://community.cisco.com/t5/vpn-and-anyconnect/cisco-asa-dual-isp-vpn-redundancy/td-p/1723979

If you have any other specific failure scenario in mind, please let us know.

Regards,

AJ

Alex Pfeil · ‎08-28-2018

You may also be able to setup the firewalls in multiple context mode in an active/active state. You could then build an IPSec tunnel from each ASA through the two ISPs and have both tunnels up at the same time. Depending on your routing, you could send some traffic one way, and some traffic the other way. There are some caveats with multiple-contexts, such as you cannot have the same vlan between contexts.