06-30-2016 04:56 PM
We have 2 ASA 5515-X firewalls one at each location and we have an EVPL between these locations.
We want to configure a site-to-site vpn to act as a backup connection so if the EVPL goes down the VPN will still provide connectivity between sites. We configured the site-to-site VPN first and it worked we can talk between the sites, but we now have the EVPL in place and we would rather keep the traffic internal and only use VPN over internet if the EVPL is down.
We configured EIGRP on each ASA but we can't get the routes to show up - it shows the site-to-site VPN connections as static routes but they are not defined as static routes when you look at the routing setup.
Any help would be greatly apprecaited!
Thanks
06-30-2016 05:29 PM
Hi Julie,
Unfortunately EIGRP over VPN is not currently supported. This is
mentioned in our online documentation here (see first note in EIGRP
overview):
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html#wp1092871
"EIGRP neighbor relationships are not supported through the IPSec tunnel
without a GRE tunnel."
You would need to form a GRE tunnel between routers behind each ASA and
pass EIGRP over that for EIGRP functionality between your sites.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
06-30-2016 07:46 PM
Hi Aditya,
We would like to use the EVPL between the firewalls for connectivity as long as the circuit is up, and if that circuit goes down we would like to have a site-to-site VPN through the internet take over providing connectivity between the locations. Is there a way to accomplish this using just the ASA 5515-x firewalls?
We do not have to use EIGRP is there is another way to do it. We just used it because it is easy to set up.
Is there a way we can use a site-to-site VPN as a backup?
Thanks
Julie
06-30-2016 08:43 PM
Hi Julie,
To overcome this you need to have a GRE over IPSEC setup which I mentioned in my previous post.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
06-30-2016 09:53 PM
Aditya,
Will any routing protocols work with a site-to-site VPN? If not is there a way to change the administrative distance of static routes that the site-to-site VPN creats so we could use static routes if the EIRGP session is down? Usually static routes take precedence, but if we could change the AD then it would choose the EIGRP routes unless the circuit fails and then it would take the VPN..
We are just needing to route private networks between the 2 locations.
As I said, we do not have a way to create a GRE tunnel.
Thanks
Julie
06-30-2016 10:20 PM
Hi Julie,
Did you configure RRI on the ASA ?
Please check this link:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107596-asa-reverseroute.html
You can also check this link:
https://www.petenetlive.com/KB/Article/0001137
Regards,
Aditya
Please rate helpful posts and mark correct answers.
エキスパートの回答、ステップバイステップガイド、最新のトピックなどお気に入りのアイデアを見つけたら、あとで参照できるように保存しましょう。
コミュニティは初めてですか?これらのヒントを活用してスタートしましょう。 コミュニティの活用方法 新メンバーガイド