Hi All, I am trying to setup two site to site vpn to 2 ASA's from a common single router such that the ASA's represent different branches. But what I want to accomplish is to setup a vpn to both these branch asa's from a router such that the interesting traffic is same for both, ie, I want to know how I can set up this tunnel using sla monitor such that when one ISP goes down the router or ASA establish the tunnel automatically to the other vpn peer. When I tried configuring multiple vpn peers in crypto map, vpn is only being established to the first one in the peer list. Is it possible to implement this vpn HA solution? Tried searching for similar setup but couldn't find one. Appreciate your suggestions. Regards, Bobby
you are going to right direction, " vpn is only being established to the first one in the peer list." when it is not available, the second will work.
one option is available on router side:
use Loopback address of router as peer address on ASA but this ip should be route-able on ISP. Using this command:
Crypto map MYMAP local-address loopback 0 10 ipsec-isakmp
Appreciate your response. I have added the topology diagram. What I am trying to achieve is a backup vpn. Consider R6 as an ISP cloud, I have already setup a VPN between ASA1 and R1, but I want to create a standby VPN to ASA3 from R1 in the instance ASA1 link to R1 fails. I have configured SLA route tracking to route through ASA3 in case of a link failure. But I am not able to bring up the second tunnel as router is not initiating the vpn tunnel to the ASA3 even though its been added in the vpn peer list (as the second peer), but even when the link is down it is only trying to establish vpn to the first peer in the list. I want to know how I can do this using the current setup, by the by vpn access-list (interesting traffic) is the traffic from R1 loopback interfaces (lo10 and lo20) to R5 loopback interface (lo30 and lo40), ie, 10.10.10.1/18.104.22.168 to 22.214.171.124/126.96.36.199 and vice versa. Assigning a public IP to a loopback interface is not an option. Any other suggestions?
Hi Kazim and Marius,
Thank you guys for your suggestion, I got it working. I will provide the config if anyone needs.
this will be quite tricky...unless you have the ASAs in a Active/Standby failover setup. some creative IP SLA tracking config will be needed on both R1 and R5, and routing will need to be taken into account because if you have two default routes on R5 you need to ensure that the tracking ICMP traffic selects the correct path and not loadbalances over the two links.
Any chance you can set up the ASAs in active/standby failover?
Please remember to select a correct answer and rate helpful posts