ASA L2L VPN backup circuit using OSPF?

dkraut · ‎02-14-2013

Hi All, I've found various bits of info on this topic, but nothing really clear so I wanted to start a new thread to see if we can create a template for what I believe is a very common scenario. *Please see attached diagram.

Many of us today are using MPLS or similar for our WAN backbone, but we're also faced with the challenge of what to do if an MPLS site drops? The most economical backup circuit IMO is an L2L IPsec VPN tunnel. The next challenge then becomes routing. Our MPLS provider allows us to use OSPF so that is what I'm using to manage routing between MPLS sites. In my scenario, I'm also using floating static routes with an admin distance of 200 to route to the ASA L2L VPN in case an MPLS site drops. This works, but becomes very difficult to manage when you have more than a few sites/vlans. Based on the attached diagram, what would you suggest to enable OSPF on the ASA's? The goal is to eliminate the need for floating static routes and/or human intervention if an MPLS site were to drop?

Thanks!

dkraut · ‎02-19-2013

Anyone, Anyone, Bueller?

Andrew Phirsov · ‎02-19-2013

I think you may configure ospf unicast to set-up dynamic routing through the tunnel:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

In that case ospf will take care of redundancy.

Edwin Matos · ‎07-30-2015

Dkeaut,

What type of routes is your MPLS provider forwarding you. Ospf External or Interarea?

If external ask them to provide IA routes by setting up the same OSPF Domain Id on each PE Ospg instance. After you are getting IA routes then you can setup ospf into the ASA tunnel with a different area then 0.

branch 1 - lan(mpls ia) - area 0 ia - asa - area 1 - asa - area 0 - lan (mpls ia)

since ospf prefers IA of area 0 before IA of area 1 you asa will have the second priority.

hope this helps