10-29-2020 03:06 PM
Hello,
I have a site to site VPN from my cisco asa’s to another customer - it works fine and both tunnels can ping the remote IP address
I have routing to the customer subnets from my internal Layer 3 switch
sw1-Layer3#ip route 10.108.x.x 255.255.255.128 172.66.1.200 (firewall interface)
I have a second firewall plugged in for redundancy sourced from a second layer 3 switch
sw2-Layer3#ip route 10.108.x.x 255.255.255.128 172.77.1.300 (firewall interface)
Is it possible to route the traffic via the second firewall 172.77.1.300 if the first firewall is 172.66.1.200 offline. I still have access to the second firewall via a different switch.
i.e can i have a secondary preferred route or would i have to think about a route map
Regards,
Kevin
10-29-2020 03:23 PM
Hello,
how are both layer 3 switches connected ? Your options include IP SLA, HSRP, VRRP, or some sort of EEM script to trigger the failover. Post a schematic drawing of your topology that shows how everything is connected.
10-30-2020 01:54 AM
Both Layer 3 switches are connected and i have routing between the two links (no issues at all). They in separate datacentres. What is have is two seperate site to site VPNs routing to the same subnet and it works. I have a server on sw1-Layer3 and when the sw1-Layer3 vpn is off that server can no longer ping the external IPs. So i was thinking could i get it to ping the external IP via 172.77.1.300 as a backup route.
ip route 10.108.x.x 255.255.255.128 172.66.1.200
ip route 10.108.x.x 255.255.255.128 172.77.1.300 secondary
is this possible
10-29-2020 04:06 PM
Failover asa with two context solve your issue.
No need any hsrp,
The context in fw1 will active for this subnet the context in fw2 will active for other subnet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide