Hello all. I am building a site to site VPN from our headquarters to a customer. I am using an ASA 5520. The customer is using Cisco 3945 routers. The customer has two VPN termination points. The customer requests that we make one of their termination points the primary VPN connection and make the other termination point the backup in the event that the primary VPN fails. How do I configure this on the ASA? Does the below configuration fulfill this goal?
crypto map cccccc 10 set peer 18.104.22.168 22.214.171.124
I have a similiar quest. I have a crypto map on the asa with multiple peers - that appears to work. However, it the first peer is not available, and the second peer is used... It never fails BACK to the first peer when it becomes available again. How can I make it fail back to the primary?
This is an ASA with only a single ISP.
I have just encountered a similar situation. It seems to work near enough, but I still consider it a hack.
Also if the second peer (887 router in this case) attempts to bring up the IPSec tunnel the ASA drops the the primary tunnel and restablishes it causing brief packet loss during the tunnel bounce. A debug shows an error that it thinks the peer IP has changed, hence the tunnel should be dropped!!!
Im just using HRSP on the access site between 2 x 887's tracking the WAN interface. On the ASA side I have both peers defined in the same way "crypto map cccccc 10 set peer 126.96.36.199 188.8.131.52".
The ASA feature set just hasnt improved in this space since the VPN3000 days, it may have actually gone backwards. Introduction of VTI interfaces and support for routing protocols over tunnels should have been introduced into the ASA years ago, but from what I understand has been put in the too hard basket.
ASA is a firewall. It is NOT a true VPN device. It lacks a lot of VPN features that you normally see in IOS routers.
For primary/backup VPN termination endpoints, I suggest you get rid of the ASA and go with IOS routers. There are several options you can use with IOS routers such as VTI, DMVPN and GRE/IPSec. My personal recommendation is GRE/IPSec because it can also work with non-cisco devices (Checkpoint/Nokia/IPSO combinations). With DMVPN,
both sides need to be Cisco. VTI, can't comment much on it since I do not use it very often.
By the way, none of these features are available in ASA appliances.