ASA IPSec failover to VRF

renatanae · ‎12-28-2016

Hello guys,

I have to do a dynamic failover between an IPSec vpn and a VRF. The actual configurations is like this:one one hand we have the IPSec tunnel over internet and on the other hand we have VRF between two parties. The communication between the two parties should normally work through the VRF but if a failure occurs in the other end, our core router should stop importing the prefixes and the communication should dynamically failover to the IPSEC VPN. Hope I didn't make this overcomplicated.

ASA_IPSEC (static route) Core_switch (is-is) Core_router (ospf) ASA (static route) Border_router-->

My question is how will our core router will know that the prfix is not advertised anymore? And how will it do the dynamic failover to the vpn?

Thank you,

b.

Philip D'Ath · ‎01-10-2017

It is not clear to me what the default gateway for the sites is (the ASA?)?

Is the core router importing a static route from the ASA? You you just enable OSPF between the core router and the ASA, so a failure will result in the route being withdrawn automatically?

Mohammed al Baqari · ‎01-10-2017

Hi,

I don't think the topology is clear. But couple of points to cover:

1. Since you are using ASA for IPSec VPN, you can't rely on dynamic routing to detect dead peers but ASA can't exchange dynamic routing over IPSec (this needs an IOS routing with VTI config).

2. You can use combination of IPSLA tracking and static routes to trigger the failover when the primary path isn't present.