Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
461
Views
0
Helpful
2
Replies

ASA Dual ISP - VPN L2L?

BERNHARD FIEGLMUELLER
Level 3
Level 3

‎03-06-2008 11:07 AM

Hi

I have an asa cluster where L2L Tunnels are configured.

Now i want to have an Backup ISP at the ASA side.

What i have done is SLA Monitoring for the ISP backup if the primary ISP fails.

But how can i cant the crypto map to the "backup interface" i think that it is not possible to have the same crypto map on 2 interfaces.

I found much about this question in netpro, but not really a solution.

regards

Bernhard

Labels:
0 Helpful
2 Replies 2

schannro
Level 1
Level 1

‎10-14-2008 03:43 AM

Hello!

I have the same issue but the swap from the primary to the backup works well, but the swap form the backup to the primary is a problem because I have to active SAs with the same cryptodomain and that's why the the asa don't know which SAs should take it.

Here a configuration output:

crypto map outside1_map 1 match address outside1_1_cryptomap

crypto map outside1_map 1 set peer 1.1.1.1 2.2.2.2

crypto map outside1_map 1 set transform-set ESP-3DES-SHA

crypto map outside1_map 1 set security-association lifetime seconds 28800

crypto map outside1_map 1 set security-association lifetime kilobytes 4608000

crypto map outside1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside1_map interface outside1

crypto map outside2_map 1 match address outside2_1_cryptomap

crypto map outside2_map 1 set peer 2.2.2.2 1.1.1.1

crypto map outside2_map 1 set transform-set ESP-3DES-SHA

crypto map outside2_map 1 set security-association lifetime seconds 28800

crypto map outside2_map 1 set security-association lifetime kilobytes 4608000

crypto map outside2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside2_map interface outside2

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 10 retry 3

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 10 retry 3

mfg

schannro

0 Helpful

janakamolagoda
Level 1
Level 1

‎10-31-2008 06:26 PM

Hi Bernahard,

Have found any solution to this ? I am facing the same issue,

Regards,

Janaka

0 Helpful
Customers Also Viewed These Support Documents