Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1067
Views
0
Helpful
4
Replies

IPSec L2L tunnel auto failover between two different sites?

vasanth77
Level 1
Level 1

‎03-19-2019 10:38 PM

Hi everyone,

 I would like to get a expert advice on Cisco ASA site to site  VPN tunnel failover between two different site firewall. 

I know vpn- loadbalancing is used for remote access VPN users with 2 ASA configured for load balancing and in case of failure the remaining ASA serve for all anyconnect client with itsi capacity.

 

But How to design or use site to site VPN failover if a tunel fails for a particular local and remote network, and how the failover scenario looks??

 

Do we need 4 firewall with 2 each at different side ?

Or with single firewall with 2 different isp each side?

Can anyone please explain how it could be achievable? 

 

Thank you in advance.

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎03-20-2019 12:37 AM

You can do the single ASA or Dual ASA for high resiliance based on the business requirement.

 

You configure both the tunnels (so the tunnels will be up), then you do failover with IP SLA Tracking. 

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

 

http://gregsowell.com/?p=829

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Rob Ingram
VIP
VIP

‎03-20-2019 03:09 AM

Hi,
Cisco consider crypto maps legacy nowadays and recommend using a VTI, so you could look at using Tunnel (VTI) interfaces on the ASA firewalls and use the routing protocol to determine failover (only BGP is supported with VTI today).

As far as recommendations the solution needs to be resilent. So having 2 x ISP and 1 x Firewall connected to each ISP should be resilent if one of the ISP or firewall breaks. You can double up on the firewalls, but this would depend on your budget.

HTH
0 Helpful

vasanth77
Level 1
Level 1
In response to Rob Ingram

‎03-20-2019 04:57 AM

Thank you for your reply. In this case each site having the budget to have two firewall on each side, then it would be only active/standby scenario? or can we have any other scenario like both firewall at same site without failover configuration ? Is that possible?
0 Helpful

Rob Ingram
VIP
VIP
In response to vasanth77

‎03-20-2019 05:13 AM

Yes, you could have either an Active/Standby configuration. Alternatively you could have 2 ASA's not configured for failover and just use IP SLA or if using VTI the routing protocol to route over the tunnel.
0 Helpful
Customers Also Viewed These Support Documents