cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

272
Views
7
Helpful
6
Replies
Beginner

ASA SiteToSite Tunnel with DUAL ISP

What happens when an ASA receives a VPN initiation request from a remote end (AWS) from a secondary connection. Will ASA try to form VPN tunnel with primary IP or secondary IP? 

ASA has sort of following configuration (putting only relevant configuration) 

!
crypto map outside_map 1 set peer P.P.P.P S.S.S.S
!

tunnel-group P.P.P.P type ipsec-l2l

tunnel-group P.P.P.P ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group S.S.S.S type ipsec-l2l

tunnel-group S.S.S.S ipsec-attributes

ikev1 pre-shared-key *****

!

TIA,
Nikhil

Everyone's tags (1)
6 REPLIES 6
Beginner

Hello,

Hello,

 The tunnel will be established with the first ip that you have configured if the tunnel is successfully established is going to leave the second ip as the backup is not going to try to establish a tunnel with that ip until the primary tunnel goes down. It's important to configure keep alives so you can monitor the remote peer an identify when is down if the remote peer stop replaying the keep alives the ASA will turn down the tunnel and try to bring it back up with the secondary ip. If you receive a request from the secondary ip the ASA will accept it and form the tunnel but that's only when the primary is not active, you shouldn't get a request from the secondary if the primary is up.

Regards, please rate!

Beginner

Thanks for your response. I

Thanks for your response. 
I understood, how ASA initiates the traffic and establishes the tunnel. But in case when ASA is responder and assume traffic is coming from other end primary connection but ASA has listed it as secondary peer, then how ASA would handle that? 

Beginner

It will establish the tunnel

It will establish the tunnel it will match the crypto map and bring the tunnel up even if is listed as secondary.

Beginner

Could you please also let me

Could you please also let me know, what would be the default connection type for the above ASA (having 2 peers listed inside same crypto map sequence)  

  • Originate 
  • Answer-only 
  • Bidirectional 

I could not find it from CLI and guessing it is working in 'Originate' mode and I am planning to set it in 'Bidirectional' mode. 

!
crypto map outside_map 1 set connection-type bidirectional 
!

Beginner

Documentation says, by

Documentation says, by default the mode is 'Bidirectional'. 
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c6.html#pgfId-2477607

Also I could confirm it using command 
sh run all crypto map 

I put it over here, so that in future someone could use it. 

Highlighted
Beginner

Is the same behavior as

Is the same behavior as having just one peer the default is bidirectional 

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here