I have an ASA 5525-x Pair that do Failover with each other and connect to a Juniper SSG-5 pair. There is a VIP on both ends. We now have a secondary ISP (CenturyLink - CL) connected to the ASA pair and if the primary link (Verizon - VZ) fails, we want the tunnel to be rebuilt across the secondary ISP link to the SSG-5 Vip.
Here is what we currently have on ASA side:
crypto ipsec ikev1 transform-set VPN_DENVER esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set VPN_DENVER_AES128 esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map denver_map 10 match address acl-denver
crypto map denver_map 10 set pfs
crypto map denver_map 10 set peer 64.78.xxx.xxx
crypto map denver_map 10 set ikev1 transform-set VPN_DENVER_AES128 VPN_DENVER
crypto map denver_map interface outside-VZ
crypto ca trustpool policy
crypto ikev1 enable outside-VZ
crypto ikev1 policy 5
crypto ikev1 policy 10
tunnel-group 64.78.xxx.xxx type ipsec-l2l
tunnel-group 64.78.xxx.xxx ipsec-attributes
ikev1 pre-shared-key *****
Do I just create a new crypto map like the following?
crypto map denver_map 20 match address acl-denver crypto map denver_map 20 set pfs crypto map denver_map 20 set peer 64.78.xxx.xxx crypto map denver_map 20 set ikev1 transform-set VPN_DENVER_AES128 VPN_DENVER crypto map denver_map interface outside-VZ crypto ca trustpool policy crypto ikev1 enable outside-CL
You can specify multi peers under the existing configuration.
crypto map denver_map 10 set peer 64.78.xxx.xxx yyy.yyy.yyy.yyy
You would of course need an additional tunnel-group for the additional peer, defining the PSK.
Thanks, but this would only work unless I had an additional peer. I am using the same VIP IP on the SSG pair from each ISP VIP on the ASA side
I would try this:
sla monitor 100
type echo protocol ipIcmpEcho 18.104.22.168 interface outside-VZ
sla monitor schedule 100 life forever start-time now
track 100 rtr 100 reachability
route outside 64.78.xxx.xxx 255.255.255.255 <Verizon next hop> 1 track 100
route outside 64.78.xxx.xxx 255.255.255.255 <CenturyLink next hop> 2
That basically will use the outside-VZ interface to reach the remote Juniper peer, as long as the ICMP traffic can reach Google DNS out of the interface outside-VZ. When the IP SLA fails, the second route through CL, which has a higher administrative distance, will kick in, so the ASA will use it to reach to the Juniper.