Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1488
Views
1
Helpful
5
Replies

ASA Redundancy with a difference

Go to solution
russjstewart
Level 1
Level 1

‎08-16-2017 04:08 PM

Hi There,

We are starting to explore the world of VPN using Cisco ASA to connect remote sites to our Primary Data Centre (PDC) with some success I would like to add.

My issue now is  that we now need to add some redundancy, by installing an ASA at our Secondary Data Centre (SDC) with some level of automated failover.

The PDC and SDC are at physically separate locations with different ISPs and different class C IP addresses. We are not worried about ISP or link failure at the remote VPN site, as it will only affect a single site. We are only worried about an ISP  or ASA failure at the PDC

My idea is to set up a new connection profile on each remote ASA pointing to the SDC ASA, as well as the existing profile connecting  to the PDC ASA, my queries are

1. Is this a really bad way of doing it

2. Is there any way of prioritising which connection profile to use, both connection profiles would have the same remote end IP addresses.

Almost all the documentation I can find relate to ISP redundancy or active/standby failover between ASA at one site

Sorry for my ignorance,

Thanks for any help you may be able to give

Labels:
Preview file
17 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammad Alhyari
Cisco Employee
Cisco Employee
In response to russjstewart

‎08-16-2017 11:49 PM

Hi,

on the remote ASA you should configure this;

crypto map vpn set peer 1.1.1.1. 2.2.2.2 

The remote ASA will try 1.1.1.1 if no response it will try 2.2.2.2 

The ASA can't have two tunnels up at the same time that are using the same acl entries. That if have an encryption from network A to network B. There can be no two tunnels active at the same time for those two networks,.

You need to setup routing inside the data center so that the traffic will come to the active ASA only and the tunnel will be brought up. When the active ASA fails the traffic should start flowing the second ASA and the tunnel will come up at that ASA.

Mo,

View solution in original post

5 Replies 5

Go to solution
Mohammad Alhyari
Cisco Employee
Cisco Employee

‎08-16-2017 11:24 PM

You can configure one primary server and a back server to that one. This seems to be the best Choice if you wanna achieve failover. Please have a look here:

<ServerList>
        <HostEntry>
            <HostName>Mobile access</HostName>
            <HostAddress>PRIMARY IP/FQDN</HostAddress>
            <BackupServerList>
                <HostAddress>SECONDARY IP/FQDN</HostAddress>
            </BackupServerList>
            <MobileHostEntryInfo>
                <NetworkRoaming>true</NetworkRoaming>
                <CertificatePolicy>Auto</CertificatePolicy>
                <ConnectOnDemand>false</ConnectOnDemand>
                <ActivateOnImport>false</ActivateOnImport>
            </MobileHostEntryInfo>
        </HostEntry>
    </ServerList>

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html#ID-1430-0000026c

Moh,

0 Helpful

Go to solution
russjstewart
Level 1
Level 1
In response to Mohammad Alhyari

‎08-16-2017 11:45 PM

Hi Moh,

Thanks for taking the time to respond to this, but I think I did not supply enough information. we are trying to introduce redundancy in site to site VPN, so if the PDC goes down the ASA appliance at  the remote site will then use the ASA at the SDC to connect. It doesn't matter if the remote ASA has 2 tunnels up, it is a question around how it decides which tunnel to use.

My limited understanding of Cisco Anyconnect is that it is a mobility product geared towards laptops etc.

Please correct me if I am wrong.

Thanks Again

0 Helpful

Go to solution
Mohammad Alhyari
Cisco Employee
Cisco Employee
In response to russjstewart

‎08-16-2017 11:49 PM

Hi,

on the remote ASA you should configure this;

crypto map vpn set peer 1.1.1.1. 2.2.2.2 

The remote ASA will try 1.1.1.1 if no response it will try 2.2.2.2 

The ASA can't have two tunnels up at the same time that are using the same acl entries. That if have an encryption from network A to network B. There can be no two tunnels active at the same time for those two networks,.

You need to setup routing inside the data center so that the traffic will come to the active ASA only and the tunnel will be brought up. When the active ASA fails the traffic should start flowing the second ASA and the tunnel will come up at that ASA.

Mo,

Go to solution
russjstewart
Level 1
Level 1
In response to Mohammad Alhyari

‎08-23-2017 11:36 PM

Hi Mo,

Sorry for not getting back to you sooner, but I had yesterday off.

I like your solution. It makes complete sense to me.

 

I will try that once I get the SDC ASA commissioned, which may be a few weeks with other priorities. I will let you know how I get on.

 

Thank you very much for taking the time to respond to my query, it is really appreciated

Cheers

 

 

 

0 Helpful

Go to solution
russjstewart
Level 1
Level 1
In response to russjstewart

‎11-05-2017 03:16 PM

Hi Mo,

Sorry for taking so long to get back you but the VPN redundancy was bumped by other conflicting needs.

I finally got a test bed set up and your suggestion does work, the only problem is it only works for IKEv1.

 

I will dig a bit deeper and see what we can dig up.

 

Once again thankyou for your help

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents