Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1586
Views
5
Helpful
4
Replies

IP SLA - Monitor VPN Tunnel

cschl
Level 1
Level 1

‎02-22-2022 06:33 AM

Hello

We have a VPN tunnel to another company and would like to maximize uptime (of course). We have two ISPs and two firewalls, one Cisco and one Palo Alto. Having two tunnels on the same device makes sense enough. However, is there a way to determine at our core switch (catalyst 3850) which device has the active tunnel? This article shows a nexthop-ip which would be ideal here, but the option does not appear for us when configuring the IP SLA on our Catalyst. 

 

I'm also concerned that simply monitoring the routes to the firewall devices locally will not be useful. For example, if Primary Firewall is restarted, inclining the remote VPN device to connect to Secondary Firewall, our monitored route may temporarily correctly point to the Secondary Firewall, but once it comes back online, we will direct traffic to Primary while the remote VPN would remain on the Secondary.


If there are existing resources on how to set this up, I'd appreciate hearing about them. Perhaps the only solution is to get a secondary firewall for legitimate failover?

 

Thanks

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎02-22-2022 06:49 AM

Make a small diagram how your network and IP address allocated.

you need to have HSRP between FW (high level to meet the requirement) and IP SLA need to be run on the FW - this is based on high level

once we see the network diagram and config anything we can give you right direction

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎02-22-2022 08:14 AM

The original post says that they have two firewalls, one Cisco and one Palo Alto. That means that HSRP is not an alternative.

We do not know much about this environment and that makes it difficult to give good advice. We do not know if the VPNs are simple ipsec with crypto map implementations, or if they are some type of tunneling implementation (perhaps something like GRE or VTI - though with one firewall being Palo Alto VTI is probably not realistic). If the vpn is a tunneling type then I would suggest that running a dynamic routing protocol over the tunnel would be a good way for both sides to be aware of which tunnel is active and to stay in sync with each other.

 

HTH

Rick
0 Helpful

Georg Pauwen
VIP
VIP

‎02-22-2022 09:16 AM

Hello,

 

what you could do is configure an EEM script on the ASA that monitors the VPN connection, and if the VPN is down, sends a syslog message to the Catalyst 3850. Another EEM script on the 3850 could then redirect traffic based on the availability of either VPN.

0 Helpful

MHM Cisco World
VIP
VIP

‎02-22-2022 11:08 AM

Use reverse route inject, the active IPSec will inject the route and hence make Core SW know how forward traffic.

0 Helpful
Customers Also Viewed These Support Documents