Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5602
Views
5
Helpful
6
Replies

Backup IPsec Tunnel

Go to solution
Jaro
Level 1
Level 1

‎06-06-2019 05:26 AM - edited ‎02-21-2020 09:40 PM

Hi All, 

 

our customer have a two IP providers with different Public IPs, on our site there is only one public IP address.

We have already configured one IPSec S2S VPN with 1st Provider.

 

Question is if is possible to configure second IPSec S2S backup VPN connection with 2nd Provider to different public IP with same encryption domains.

 

I have already found some article regarding backup L2L feature, but it can be used for two ASAs only, but on our customer site there is some basic device from another vendor.

 

Thank you

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Pablo
Cisco Employee
Cisco Employee

‎06-07-2019 04:41 PM - edited ‎06-07-2019 04:43 PM

Yes that's possible, the peer is added as a backup peer on the crypto map:

  • Create a new tunnel-group with the IP for your customer's 2n provider, configure the PSK or set the RSA cert.
  • Add the second public IP right next to the existing peer "crypto map <name> # set peer <ISP1> <ISP2>".

*The tunnel will be active only with one of the 'peers' at a time, DPD is used to track peer aliveness.

HTH.

Pablo

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-06-2019 05:38 AM

Not that aware of this solution possible at this stage. how is 2 ISP provider terminating connection to you ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Pablo
Cisco Employee
Cisco Employee

‎06-07-2019 04:41 PM - edited ‎06-07-2019 04:43 PM

Yes that's possible, the peer is added as a backup peer on the crypto map:

  • Create a new tunnel-group with the IP for your customer's 2n provider, configure the PSK or set the RSA cert.
  • Add the second public IP right next to the existing peer "crypto map <name> # set peer <ISP1> <ISP2>".

*The tunnel will be active only with one of the 'peers' at a time, DPD is used to track peer aliveness.

HTH.

Pablo

Go to solution
Jaro
Level 1
Level 1
In response to Pablo

‎06-12-2019 02:36 AM

Hi Pablo,

 

Thanks for answer, I have already configured it, but I did not test it so, when I will test it I will let you know, if it works properly.

 

Thank you

0 Helpful

Go to solution
aezadburhan
Level 1
Level 1
In response to Jaro

‎06-02-2023 02:35 AM

Hi Jaro,

Ive been faced with the same issue. When the Primary peer comes back online, since both the peers are alive the tunnel is not switched back to the primary peer. 
Did you find a solution for it?
Temporarily I used EEM applet on the site router to remove and then add the  secondary peer in the crypto map configuration soon as the primary comes up, it solves the issue.

Regards,
Aezad Burhan.

0 Helpful

Go to solution
Jaro
Level 1
Level 1
In response to Pablo

‎07-24-2019 12:51 AM

Hi Pablo,

 

thanks for help, do you maybe have som article, because I have already checked it, and it works, but I do not know how it works after swithch to backup peer and back to primary peer.

 

Thank you

0 Helpful

Go to solution
Pablo
Cisco Employee
Cisco Employee
In response to Jaro

‎07-24-2019 11:03 AM

Hi Jaro,

DPD is the one doing the trick on your side.

Here you can find more information about this feature, it's based on IOS but it's the same logic for the ASA:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/12-4/sec-ipsec-data-plane-12-4-book/sec-ipsec-dead-peer.html

HTH

Pablo

0 Helpful
Customers Also Viewed These Support Documents