Failover VPN between Cisco ASA5505 & 2 x Cisco IOS routers

shailen-tpnl · ‎09-26-2012

Hi

I have an issue where we have a single ASA5505 [soon to be active/standby with single ISP] connecting to HQ where there are 2 x Cisco 2821's. Each 2821 router has it's own connection to the internet running BGP and each router is setup to terminate IPSEC VPN's from the ASA. The ASA has a backup VPN configuration with no IP SLA configuration to track if the Primary IPSEC endpoint is alive. Keep alives are set and the VPN does failover to the backup.

When the primary 2821 internet connection fails the ASA fails over to the backup 2821 and everything works a dream. However when the primary internet link re establishes to the primary 2821 the ASA does not fail back to the primary 2821 it stays on the backup 2821 and all is broken as the remote site starts forwarding traffic out the BGP default route - which is back via the primary connection...

How do I fix this so that the ASA tracks the IP of the primary router to failback without manual intervention - clearing isakmp and ipsec sa's?

The other issue is the ASA does not allow traffic to be orignated from the 2821 end of the VPN. You have to establish traffic from behind the ASA for the IPSEC sa to be created.

Thanks

Shailen

Rudy Sanjoko · ‎09-28-2012

Is there a reason why you don't use IP SLA configuration? SLA monitoring is an option so that ASA can fallback to primary when it comes back up. Here is a good documentation about this by Rudresh V

https://supportforums.cisco.com/community/netpro/security/vpn/blog/2011/04/25/ipsec-vpn-redundancy-failover-over-redundant-isp-links

For your other issue, that depends on your configuration on where the traffic are encrypted and where not.