cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Site-to-Site VPN Auto Failover for MPLS

2275
Views
5
Helpful
0
Comments

I recently came across this scenario at my network we had MPLS network connecting our HQ to DR site and internet link terminating on ASAs

We need to use this internet link to be auto failover for the MPLS in case the MPLS went down for any reason.

I did some research I couldn't find clear documentation on the internet explain this, So I did this document I which it could be helpful for others.

First I had the MPLS over BGP and locally I'm using EIGRP protocol between the Routers, Switches and ASAs together, So my problem was the static route injected on the routing protocols when a site to site  VPN tunnel established between the 2 ASAs.

So I worked with Cisco TAC on this issue till we realized that we have to issue command no reverse-route under the crypto map.

#no crypto map OUTSIDE-map 1 set reverse-route

to don't inject the static routes without the tunnel is established.

Now the tunnel will stay down in case no interesting traffic and once the BGP link (MPLS) went down the IPSec tunnel will automatically send interesting traffic to the tunnel depending on the ACL you created had the MPLS IP address on it so the configuration will be as below to create auto failover site to site vpn over ASA version 9.6:

First ASA At the DR Site:

access-list MPLS-ACL1 extended permit ip object-group LOCAL-Network object-group All-Branches

crypto map OUTSIDE-map 1 match address MPLS-ACL1
crypto map OUTSIDE-map 1 set pfs
crypto map OUTSIDE-map 1 set peer X.X.X.X(HQ Public IP)
crypto map OUTSIDE-map 1 set ikev1 transform-set ****(Transform Set Name)
crypto map OUTSIDE-map 1 set security-association lifetime seconds 86400

tunnel-group X.X.X.X(HQ Public IP) type ipsec-l2l
tunnel-group X.X.X.X(HQ Public IP) ipsec-attributes
ikev1 pre-shared-key *****

Second ASA At the HQ Site:

access-list MPLS-ACL2 extended permit ip object-group All-Branches object-group DR-Network

crypto map OUTSIDE_map 8 match address MPLS-ACL2
crypto map OUTSIDE_map 8set pfs
crypto map OUTSIDE_map 8 set peer X.X.X.X(DR Public IP)
crypto map OUTSIDE_map 8set ikev1 transform-set ****(Transform Set Name)
crypto map OUTSIDE_map 8 set security-association lifetime seconds 86400

tunnel-group X.X.X.X(DR Public IP) type ipsec-l2l
tunnel-group X.X.X.X(DR Public IP) ipsec-attributes
ikev1 pre-shared-key *****