vpn dead peering detection

r.kukreja · ‎09-14-2011

Hi

I have remote site in which site to site vpn is configured with hub site using 5510 model. now i am using load balancer in which 2 isp will terminate

one is isfy and other is reliance . now i want if suppose ipsec-tunnel is configured primary with sify. if sify link fail at hub site then at remote site

should be able to communicate with reliance that is secondary

recently i posted query in VPN but did not find satisfactory answer. can you tell how to achieve if any document with configuration .

Regards,

rajat

r.kukreja · ‎09-14-2011

varun,

can you do help for me it is very urgent.

r.kukreja · ‎09-14-2011

hi,

any body can help ?

Parminder Sian · ‎09-15-2011

Hi Rajat,

Try adding floating static route on ASA. for example

route outside 0.0.0.0 0.0.0.0 (ip address of sify router) 0

route outside 0.0.0.0 0.0.0.0 (ip address of reliance router) 255

So now when sify is unavailable traffic will go through reliance, however on remote site you have to add new tunnel with ip address of reliance as peer.

Please let me know if i didn't get your question properly.

Regards,

Sian

r.kukreja · ‎09-15-2011

Hi parminder,

i dont want to do any change at corp office . there is already load balancer deployed what i want remote tunnel automatic detct primary and secondary role. i mean auto matic vpn failover. there is some dead peer dtection method but i am not able to understand how to apply this method.

Regards,

Rajat

varrao · ‎09-15-2011

Hi Rajat,

You need to apply SLA monitoring for it, you can refer this doc for it:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

For the VPN traffic to failover, you would need to just add these commands for it:

lets assume the new interface is called backup, so yu would need to enable crypto map on it:

crypto map interface backup

enable the isakmp policy as well:

crypto isakmp enable backup

Thats all you would need.

Let me know if you have any questions.

Thanks,

Varun

Thanks,
Varun Rao

r.kukreja · ‎09-15-2011

Hi varun

thanks for your response

my topology is not like that. what i have is there is corporate office in which we plan to deply load balancer . in which 2 internet lesed lne are terminating. load balancer is like name server. now behind load balancer there are 2 firewall for each isp say bharti and tulp . now remote location say US is having 1 firewall and 1 internet lesed line . now currently remote location make site to site vpn with bharti. beacuse of adding load balancer in corporate location i can provide vpn redundancy . in vpn ther are multiple option for setting peer . right now peering with bharti i will add anothe ip of tulip in remote location asa.

now tulip ip is natted with bharti ip internaly in load balancer .tulip ip is metioned in remote asa peer if bharti fail through tulip US will reach to tulip then further natting it can peer with bhart asa.

now question arises how asa at remote loaction will detect that my primary reachablity through bharti and secondary through tulip. if primary fail then go to tulip. if primary link comes back up. it ashould againg peer with bharti. kindly read dead peer detction mechanism. waiting for your response.

Regards,

rajat

r.kukreja · ‎09-16-2011

Hi,

anybody can look at sincere problem.

Regards,

Rajat