Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1560
Views
0
Helpful
3
Replies

question about site to site VPN failover on an ASA

west33637
Level 1
Level 1

‎01-24-2012 07:42 AM

Hello all. I am building a site to site VPN from our headquarters to a customer. I am using an ASA 5520. The customer is using Cisco 3945 routers. The customer has two VPN termination points. The customer requests that we make one of their termination points the primary VPN connection and make the other termination point the backup in the event that the primary VPN fails. How do I configure this on the ASA? Does the below configuration fulfill this goal?

crypto map cccccc 10 set peer 2.2.2.2 1.3.3.3

Labels:
0 Helpful
3 Replies 3

david.steele
Level 1
Level 1

‎02-28-2012 04:23 PM

I have a similiar quest.  I have a crypto map on the asa with multiple peers - that appears to work.  However, it the first peer is not available, and the second peer is used...  It never fails BACK to the first peer when it becomes available again.  How can I make it fail back to the primary?

This is an ASA with only a single ISP.

0 Helpful

kent.plummer
Level 1
Level 1
In response to david.steele

‎03-17-2012 02:18 AM

I have just encountered a similar situation.  It seems to work near enough, but I still consider it a hack.  

Also if the second peer (887 router in this case) attempts to bring up the IPSec tunnel the ASA drops the the primary tunnel and restablishes it causing brief packet loss during the tunnel bounce.  A debug shows an error that it thinks the peer IP has changed, hence the tunnel should be dropped!!!

Im just using HRSP on the access site between 2 x 887's tracking the WAN interface.  On the ASA side I have both peers defined in the same way "crypto map cccccc 10 set peer 2.2.2.2 1.3.3.3".

The ASA feature set just hasnt improved in this space since the VPN3000 days, it may have actually gone backwards. Introduction of VTI interfaces and support for routing protocols over tunnels should have been introduced into the ASA years ago, but from what I understand has been put in the too hard basket.

Cheers

Kent.

0 Helpful

david.tran
Level 4
Level 4
In response to kent.plummer

‎03-17-2012 07:08 AM

ASA is a firewall. It is NOT a true VPN device. It lacks a lot of VPN features that you normally see in IOS routers.

For primary/backup VPN termination endpoints, I suggest you get rid of the ASA and go with IOS routers.  There are several options you can use with IOS routers such as VTI, DMVPN and GRE/IPSec.  My personal recommendation is GRE/IPSec because it can also work with non-cisco devices (Checkpoint/Nokia/IPSO combinations).  With DMVPN,

both sides need to be Cisco.  VTI, can't comment much on it since I do not use it very often.

By the way, none of these features are available in ASA appliances.

0 Helpful
Customers Also Viewed These Support Documents