IPsec Site-to-Site VPN High Availability

armand.ndayikeza1 · ‎01-31-2017

Hello;

I would like to get some of your ideas, Am having a primary site and DR site, both having Cisco ASA on which i would like to configure site-to-site VPN with our partners.

My question is how can i most efficiently accomplish high-availability so that when there is a Disaster occurs at the Primary Site, our partners can automatically be directed to the DR site.

I have seem mainly 2 options, one which is to set 2 peers at the partner VPN level, and the other one is to use HRSP and use a Virtual IP as the peer for the Partners VPN.

Any Advise on that???

Richard Burts · ‎02-01-2017

You have not told us much about the primary site and the DR site, including how close/how far apart they are or how they are connected. Those factors would have an impact on whether it is feasible to use HSRP.

HTH

Rick

HTH

Rick

armand.ndayikeza1 · ‎02-01-2017

Hi Richard;

The primary site and DR site will be connected through Fiber cables connectivity( we have a service provider who will handle that).

The Primary and DR Site are 125 km away of each other.

The Partner will connect to Primary and DR site through Internet.

Regards.

Richard Burts · ‎02-01-2017

Thank you for the additional information. Based on this distance I would think that having two peer addresses on the set peer in the crypto map would be preferred to trying HSRP.

HTH

Rick

HTH

Rick

armand.ndayikeza1 · ‎02-01-2017

Hi Richards;

Thanks for your advise, however my only concern with setting 2 peers on the partner side is the missing preempt option. What I mean is let's say the primary side goes down and the crypto is negotiated with the DR site ASA, what happens if the primary site comes up again, is there any mechanism to use so that the partner will automatically shift back to the primary site?

Regards

Richard Burts · ‎02-02-2017

I am not aware of a mechanism in the site to site VPN on ASA that would automatically fail back to the primary. So that is a challenge. Perhaps there could be some monitoring software that could detect the failover and would fail back when the primary is back in service. If this were IOS routers I might look at EEM for this. But I am not sure what to suggest for ASA.

I did a project for a customer who had similar requirement for remote sites to access a primary site and a backup site, and to have fail back to primary if we had failed over to backup. We were doing this project with IOS routers and what we did was to configure two VTI tunnels on the remote, one to primary and one to backup. Both tunnels were up all the time. We ran a routing protocol over the tunnels and arranged the metric to establish a primary and a backup. As long as both were operational the traffic went to primary. If there was a problem with the primary the routing protocol automatically sent traffic over the backup, until the primary recovered and at that point the routing protocol automatically switched back to the primary. Cisco has recently introduced some VTI capabilities for the ASA. You might look to see if that might be an option that could work for you.

HTH

Rick

HTH

Rick