VPN with Failover

f.iversen · ‎07-16-2009

I have a ASA 5540 (actualy 2 in Active/Standby setup) connected to the Internet and Internaly a DMZ where I get the traffic from my SecureMobile provider.

On remote site I have a Sarian DR6410 router with a ADSL interface and a GPRS/3G int.

I have no problems getting the IPSEC up and running on both interfaces and I'm able to ping from the LAN Internal -> Remote and opposit so long I have a static route in both ends prioritized to send traffic on the same Interface. My intension was to have the 3G/Gprs interface as a failover but I would like it to be done automaticly. I have configured a route in both ends with a best metric using the ADSL (1) and the 3G (255).

What is the best solution ?. Will it be running OSPF between the Sarian and the ASA or could I do something else to solve my problem.

Annother question is, will the ASA could handle around 150 VPN Tunnel's or what is the limitations ?. The tunnels are not heavy loaded.

I'll hope anyone of your experts can help me.

Ivan Martinon · ‎07-21-2009

OSPF through a tunnel would work as long as there is one a single tunnel endpoint, or you can use object tracking so that when the primary link is down, the ASA will change the route to the 3G/GRPS interface, see the link below:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

And here is a table that shows the amount of lan to lan tunnels for every ASA platform

https://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

I think you got your concerned pretty much covered.