10-30-2024 10:24 AM - edited 10-30-2024 10:28 AM
I'm curious if anyone has thoughts about how to design this. I'm working with a customer who is going to be connecting a few branches back to the main office via L2L VPNs. Because they have a DR site that's connected to the main office via a PTP circuit I want to use secondary gateways on my crypto maps on the branch firewalls so they can fail over to the DR site if the main site goes offline.
That much is easy. The problem is that when using secondary tunnels the VPN tunnels won't automatically fail back over to the primary when it becomes available again. They'll just churn along happily using the secondary. I'll want them to fail back to the primary.
So I have two questions. First, if I set the lifetime on the SA to something like four hours would that mean that it would fail back to the primary, if it's available, after the timer expires and the tunnel re-establishes?
Second, is there a better way of doing this?
I should add that I ran across documentation that suggested using tracked routes for this, making the one to the primary site the preferred route. That may work but my concern is that because these sites will get their internet through the primary and DR sites (via hairpin) I can't really tie the default route to a track like that. The ASA's default routes will have to be their local internet provider's gateway.
Thanks
Solved! Go to Solution.
10-30-2024 10:32 AM - edited 10-30-2024 10:36 AM
@benweber you could use an EEM script to failback to the preferred VPN peer, by deleting the SA of the secondary peer once the primary is reachable again.
Example:
https://integrate.uk.com/asa-vpn-preempt/
10-30-2024 10:32 AM - edited 10-30-2024 10:36 AM
@benweber you could use an EEM script to failback to the preferred VPN peer, by deleting the SA of the secondary peer once the primary is reachable again.
Example:
https://integrate.uk.com/asa-vpn-preempt/
10-30-2024 10:58 AM
That's a really good idea. Thanks!
10-30-2024 12:41 PM - edited 10-31-2024 07:28 AM
Hi,
Did you enable DPD? Otherwise, if the primary VPN gateway fails, you'll not failover to secondary until the SA lifetime expires and you ned to renegotiate, which is something you want to avoid. Crypto-map / policy based VPN's with failover are well-known for not being the best option, by far.
Best option would be to use route-based IPsec VPN's (VTI implementation), have both primary and secondary tunnels up at all times, run dynamic routing on top of both tunnels, and prefer primary tunnels by influencing routing protocol metrics; this way, you have both fast failover and fast recovery when primary path comes up, no need for DPD, plus there's no risk to have traffic black holing.
Best,
Cristian.
10-30-2024 06:14 PM
Yep. I usually put ISAKMP keepalives on all my tunnel groups as a matter of course. Never seen it cause problems and it helps in cases like this.
10-31-2024 07:21 AM
Please check this post of mine that might help as well:
ASA site-to-site VPN failover workaround | Blue Network Security
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide