cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1299
Views
7
Helpful
6
Replies

ASA SiteToSite Tunnel with DUAL ISP

nshinde01
Level 1
Level 1

What happens when an ASA receives a VPN initiation request from a remote end (AWS) from a secondary connection. Will ASA try to form VPN tunnel with primary IP or secondary IP? 

ASA has sort of following configuration (putting only relevant configuration) 

!
crypto map outside_map 1 set peer P.P.P.P S.S.S.S
!

tunnel-group P.P.P.P type ipsec-l2l

tunnel-group P.P.P.P ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group S.S.S.S type ipsec-l2l

tunnel-group S.S.S.S ipsec-attributes

ikev1 pre-shared-key *****

!

TIA,
Nikhil

6 Replies 6

Diego Lopez
Level 1
Level 1

Hello,

 The tunnel will be established with the first ip that you have configured if the tunnel is successfully established is going to leave the second ip as the backup is not going to try to establish a tunnel with that ip until the primary tunnel goes down. It's important to configure keep alives so you can monitor the remote peer an identify when is down if the remote peer stop replaying the keep alives the ASA will turn down the tunnel and try to bring it back up with the secondary ip. If you receive a request from the secondary ip the ASA will accept it and form the tunnel but that's only when the primary is not active, you shouldn't get a request from the secondary if the primary is up.

Regards, please rate!

Thanks for your response. 
I understood, how ASA initiates the traffic and establishes the tunnel. But in case when ASA is responder and assume traffic is coming from other end primary connection but ASA has listed it as secondary peer, then how ASA would handle that? 

It will establish the tunnel it will match the crypto map and bring the tunnel up even if is listed as secondary.

Could you please also let me know, what would be the default connection type for the above ASA (having 2 peers listed inside same crypto map sequence)  

  • Originate 
  • Answer-only 
  • Bidirectional 

I could not find it from CLI and guessing it is working in 'Originate' mode and I am planning to set it in 'Bidirectional' mode. 

!
crypto map outside_map 1 set connection-type bidirectional 
!

Documentation says, by default the mode is 'Bidirectional'. 
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c6.html#pgfId-2477607

Also I could confirm it using command 
sh run all crypto map 

I put it over here, so that in future someone could use it. 

Is the same behavior as having just one peer the default is bidirectional