What is the best whay to setup a redundant site to site VPN.
We currently have 2 ASA5510's (8.2) at the HQ and several ASA5505's at remote sites. We would like to have the remote ASA's automatically switch over to the second ASA at the HQ when the primary path fails.
Dual peer adresses on the remote sites with reverse route injection at the HQ and a routing protocol at HQ doesn't work because the already RR exists when we setup the VPN, when it's not even connected.
just add the secondary external IP address to the current remote site crypto maps.
When the first IP is not available (primary) they will try the secondary e.g
crypto map <
y.y.y.y = Primary ASA
z.z.z.z = Secondary ASA
Thanks for the reply, but the remote site is not the problem! It's the HQ.
Because reverse route injection always injects a route (dispite the lack of a valid SA) the core routers do not know where to send the traffic!
Does anybody know how to setup the routing at HQ. Bear in mind that reverse route injection doesn't do what I'd expect it to do.
OK - reverse route injection only populates a routing table with an entry with a valid IPSEC tunnel....supposedly.
I have seen and continue to see ASA ver 8.0 - 8.x vers of IOS reverse route injection does not perform 100%, and advise against it's use. Great function not 100% bug free yet.
The best way to over come this issue - is run a dynamic routing protocol, in a GRE tunnel over a IPSEC VPN.
or you just enable the ASA to be in a failover pair, and have the core routers point to the active IP address of the inside of the ASA's.
RRI does seem to work as expected on dynamic tunnels (EzVPN) but fails on site-to-site.
Using GRE tunnels rules out the ASA's and requires routers (IOS).
Using failover ASA's will not work because we're using two different ISP's on both ASA's, so ... bye bye ASA's.
Not entirely game over just yet - you could use IP SLA on the ASA's that could check the remote end via an ICMP check. If it fails, the ASA removed the route from it's local table and stops redistributing it - then the other ASA will have a valid route and will populate that back into the core.
The below is an indication of what you can try.
Could anyone provide a configuration reference about EZVPN (using ASAs in remote side and 2 redudant ASAs Servers in 2 different DataCenters) ? Is a possible network design ?
So it is not possible to have EZVPN from 1 remote site using ASA5505s to access to 2 different HeadQuarter sites (using ACTIVE-BACKUP remote access & RRI only ) ? He have spoken this with Cisco representative, and he says we can do it...