cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
292
Views
0
Helpful
5
Replies

ASA L2L VPN, How to Fail Back

benweber
Level 1
Level 1

I'm curious if anyone has thoughts about how to design this. I'm working with a customer who is going to be connecting a few branches back to the main office via L2L VPNs. Because they have a DR site that's connected to the main office via a PTP circuit I want to use secondary gateways on my crypto maps on the branch firewalls so they can fail over to the DR site if the main site goes offline.

That much is easy. The problem is that when using secondary tunnels the VPN tunnels won't automatically fail back over to the primary when it becomes available again. They'll just churn along happily using the secondary. I'll want them to fail back to the primary.

So I have two questions. First, if I set the lifetime on the SA to something like four hours would that mean that it would fail back to the primary, if it's available, after the timer expires and the tunnel re-establishes?

Second, is there a better way of doing this?

 

I should add that I ran across documentation that suggested using tracked routes for this, making the one to the primary site the preferred route. That may work but my concern is that because these sites will get their internet through the primary and DR sites (via hairpin) I can't really tie the default route to a track like that. The ASA's default routes will have to be their local internet provider's gateway.

Thanks

1 Accepted Solution

Accepted Solutions

@benweber you could use an EEM script to failback to the preferred VPN peer, by deleting the SA of the secondary peer once the primary is reachable again.

Example:

https://integrate.uk.com/asa-vpn-preempt/

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html#anc5

 

 

View solution in original post

5 Replies 5

@benweber you could use an EEM script to failback to the preferred VPN peer, by deleting the SA of the secondary peer once the primary is reachable again.

Example:

https://integrate.uk.com/asa-vpn-preempt/

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html#anc5

 

 

That's a really good idea.  Thanks!

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

   Did you enable DPD? Otherwise, if the primary VPN gateway fails, you'll not failover to secondary until the SA lifetime expires and you ned to renegotiate, which is something you want to avoid. Crypto-map / policy based VPN's with failover are well-known for not being the best option, by far.

 Best option would be to use route-based IPsec VPN's (VTI implementation), have both primary and secondary tunnels up at all times, run dynamic routing on top of both tunnels, and prefer primary tunnels by influencing routing protocol metrics; this way, you have both fast failover and fast recovery when primary path comes up, no need for DPD, plus there's no risk to have traffic black holing.

Best,

Cristian.

Yep. I usually put ISAKMP keepalives on all my tunnel groups as a matter of course. Never seen it cause problems and it helps in cases like this.

Please check this post of mine that might help as well:

ASA site-to-site VPN failover workaround | Blue Network Security