Solved: Re: Backup IPsec Tunnel

Jaro · ‎06-06-2019

Hi All,

our customer have a two IP providers with different Public IPs, on our site there is only one public IP address.

We have already configured one IPSec S2S VPN with 1st Provider.

Question is if is possible to configure second IPSec S2S backup VPN connection with 2nd Provider to different public IP with same encryption domains.

I have already found some article regarding backup L2L feature, but it can be used for two ASAs only, but on our customer site there is some basic device from another vendor.

Thank you

Pablo · ‎06-07-2019

Yes that's possible, the peer is added as a backup peer on the crypto map:

Create a new tunnel-group with the IP for your customer's 2n provider, configure the PSK or set the RSA cert.
Add the second public IP right next to the existing peer "crypto map <name> # set peer <ISP1> <ISP2>".

*The tunnel will be active only with one of the 'peers' at a time, DPD is used to track peer aliveness.

HTH.

Pablo

View solution in original post

balaji.bandi · ‎06-06-2019

Not that aware of this solution possible at this stage. how is 2 ISP provider terminating connection to you ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Pablo · ‎06-07-2019

Yes that's possible, the peer is added as a backup peer on the crypto map:

Create a new tunnel-group with the IP for your customer's 2n provider, configure the PSK or set the RSA cert.
Add the second public IP right next to the existing peer "crypto map <name> # set peer <ISP1> <ISP2>".

*The tunnel will be active only with one of the 'peers' at a time, DPD is used to track peer aliveness.

HTH.

Pablo

Jaro · ‎06-12-2019

Hi Pablo,

Thanks for answer, I have already configured it, but I did not test it so, when I will test it I will let you know, if it works properly.

Thank you

aezadburhan · ‎06-02-2023

Hi Jaro,

Ive been faced with the same issue. When the Primary peer comes back online, since both the peers are alive the tunnel is not switched back to the primary peer.
Did you find a solution for it?
Temporarily I used EEM applet on the site router to remove and then add the secondary peer in the crypto map configuration soon as the primary comes up, it solves the issue.

Regards,
Aezad Burhan.

Jaro · ‎07-24-2019

Hi Pablo,

thanks for help, do you maybe have som article, because I have already checked it, and it works, but I do not know how it works after swithch to backup peer and back to primary peer.

Thank you

Pablo · ‎07-24-2019

Hi Jaro,

DPD is the one doing the trick on your side.

Here you can find more information about this feature, it's based on IOS but it's the same logic for the ASA:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/12-4/sec-ipsec-data-plane-12-4-book/sec-ipsec-dead-peer.html

HTH

Pablo