cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
154
Views
0
Helpful
5
Replies
Highlighted
Beginner

Disaster Recovery VPN

Hi All,

I have a remote site ASA using a single ISP.  We have 2 active site to site tunnels, one to HQ and the other to our DR.  Is there a way to have both tunnels active but prefer the tunnel to HQ?  There is some overlap of network subnets on each of the tunnels as well.

Thanks in advance.

Bill

5 REPLIES 5
Highlighted
Cisco Employee

Hi Bill-

Hi Bill-

Have a look at this link to another discussion on the support forum. I think this is the solution that you are looking for. Have a look and let us know if you still have any questions:

https://supportforums.cisco.com/blog/150001

I hope this helps!

Thank you for rating helpful posts!

Beginner

Hi Neno,

Hi Neno,

Thanks for the link.  I don't think it's what I need since I only have a single ISP.   I have 2 site-to-site tunnels I setup.  One tunnel to HQ and the other to DR.  Is there a way to get the remote users to use/prefer the HQ tunnel and use the DR tunnel only if HQ tunnel goes down?  The HQ network knows how to get to DR network.  So there will be overlapping of subnets in the 'remote' encryption subnets between the 2 tunnels.

Thanks,

Bill

Highlighted
Cisco Employee

Sorry about that! I missed

Sorry about that! I missed that specific detail :)

Quick question: Are you doing any Dynamic Protocol peering over the tunnels? If yes, then that will be the easiest way to accomplish this by simply manipulating the routes. 

If you don't have dynamic protocol running then some of the features in the link that I provided above would apply. For instance, one simple way to accomplish this is to have a single tunnel/crypto-map with multiple peers instead of two different tunnels. 

Thank you for rating helpful posts!

Highlighted
Beginner

No worries.

No worries.

We are not doing any Dynamic Protocol peering over the tunnels.  I'll check out the features mentioned in the link again.  Could this type of setup potentially cause a loop?

Highlighted
Cisco Employee

There is always a chance for

There is always a chance for a routing loop if routing protocols are not deployed properly. For instance, you have multiple OSPF instances and you are redistributing between the two instances. Or you are doing mutual re-distribution between two different IGPs (For example, OSPF and BGP) without any filtering. 

When you list multiple peers under the tunnel group, the ASA will process the configured peers in a top-down fashion and it will establish the connection with the first one that is available and that it matches all of the required criteria (authentication, hashing, etc). Thus, it will not use more than one peer at a time. 

I hope this clears things up!

Thank you for rating helpful posts!

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here