I recently came across this scenario at my network we had MPLS network connecting our HQ to DR site and internet link terminating on ASAs
We need to use this internet link to be auto failover for the MPLS in case the MPLS went down for any reason.
I did some research I couldn't find clear documentation on the internet explain this, So I did this document I which it could be helpful for others.
First I had the MPLS over BGP and locally I'm using EIGRP protocol between the Routers, Switches and ASAs together, So my problem was the static route injected on the routing protocols when a site to site VPN tunnel established between the 2 ASAs.
So I worked with Cisco TAC on this issue till we realized that we have to issue command no reverse-route under the crypto map.
#no crypto map OUTSIDE-map 1 set reverse-route
to don't inject the static routes without the tunnel is established.
Now the tunnel will stay down in case no interesting traffic and once the BGP link (MPLS) went down the IPSec tunnel will automatically send interesting traffic to the tunnel depending on the ACL you created had the MPLS IP address on it so the configuration will be as below to create auto failover site to site vpn over ASA version 9.6:
First ASA At the DR Site:
access-list MPLS-ACL1 extended permit ip object-group LOCAL-Network object-group All-Branches
crypto map OUTSIDE-map 1 match address MPLS-ACL1 crypto map OUTSIDE-map 1 set pfs crypto map OUTSIDE-map 1 set peer X.X.X.X(HQ Public IP) crypto map OUTSIDE-map 1 set ikev1 transform-set ****(Transform Set Name) crypto map OUTSIDE-map 1 set security-association lifetime seconds 86400
tunnel-group X.X.X.X(HQ Public IP) type ipsec-l2l tunnel-group X.X.X.X(HQ Public IP) ipsec-attributes ikev1 pre-shared-key *****
Second ASA At the HQ Site:
access-list MPLS-ACL2 extended permit ip object-group All-Branches object-group DR-Network
crypto map OUTSIDE_map 8 match address MPLS-ACL2 crypto map OUTSIDE_map 8set pfs crypto map OUTSIDE_map 8 set peer X.X.X.X(DR Public IP) crypto map OUTSIDE_map 8set ikev1 transform-set ****(Transform Set Name) crypto map OUTSIDE_map 8 set security-association lifetime seconds 86400
tunnel-group X.X.X.X(DR Public IP) type ipsec-l2l tunnel-group X.X.X.X(DR Public IP) ipsec-attributes ikev1 pre-shared-key *****
Hi All,I have failover configured between two ASA 5515. I am a bit rusty with ASA..years since I played with one.Anyways, failover seems to be working ok. The only problem I have is that the failover unit keeps changing the name everytime I reboot the sec...
We are ESP and a little over two weeks ago we started seeing a sudden change in our ratings of several of our IPs at Talos. Some messages started to be returned with smtp;554 Your access to this mail system has been rejected due to the sending MTA's...
I would like to create guest users using Python script.
I have installed 3.8.3 Python and saved the .py file and run the execution using ERS SDK guide for ISE
However getting an error:-
GAGSING3-M-93JT:Desktop gagsing3$ python...
My customer with quite a large ISE deployment applyed ISE 2.4 Patch 12 today. After applying the patch, he encouter serios authentication problems on machines using machine certificate for authentication.I investigate the change and found very strange beh...
I am in the process of implementing 802.1x for our wired infrastructure. Laptops are using certificates from a local CA for authentication. I am at the point of implementing CRL. I successfully added the CRL settings but I am finding the...