Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
35954
Views
5
Helpful
11
Replies

Backup peer IP configuration on site-to-site VPN between ASA & SonicWall

vaniello
Level 1
Level 1

‎08-05-2013 02:50 PM

Is it possible to specify a backup peer IP address on a Cisco ASA v8.4 when connection to a SonicWall firewall via a site-to-site VPN? 

The "crypto map set connection-type" seems to be specific to VPNs between Cisco devices.

Does anyone have peer failover working between an ASA and SonicWall firewall and would be willing to share how this was done?

Thanks.

V/

Labels:
0 Helpful
11 Replies 11

Jouni Forss
VIP Alumni
VIP Alumni

‎08-05-2013 02:54 PM

Hi,

To my understanding when you configure a L2L VPN Connection on an ASA and you want to set 2 different Peer IP addresses for the same L2L VPN connection then you simply configure the Crypto Map with several IP address

crypto map set peer

Or something like this.

I have only tested a setup where I had a ASA5520 with Dual ISP and a remote ASA5505 that had L2L VPN connection to the ASA5520 and 2 peer IP addresses defined for the single L2L VPN connection with the above mentioned command.

It seemed to work just fine but naturally was just a lab test setup.

- Jouni

0 Helpful

Chheang Va
Level 1
Level 1
In response to Jouni Forss

‎06-15-2015 11:34 AM

I have confirmed that setting multiple peers on the crypto map worked between Cisco ASA to Sonicwall. Make sure you configure the tunnel-group for the backup IP address with the same attributes. I would also leave the connection-type to default (bi-directional) since it worked fine for me.

0 Helpful

Amafsha1
Level 2
Level 2
In response to Jouni Forss

‎01-09-2020 01:15 PM - edited ‎01-09-2020 01:16 PM

what if you have more than 2 backup peers....3 or 4.  Will that still work?

 

set peer 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4

0 Helpful

Rob Ingram
VIP
VIP
In response to Amafsha1

‎01-09-2020 01:25 PM

Hi @Amafsha1 

Yes, it certainly looks like you can...

1.PNG

 

HTH

0 Helpful

Amafsha1
Level 2
Level 2
In response to Rob Ingram

‎01-09-2020 01:28 PM

Thank you sir

0 Helpful

Mike Williams
Level 5
Level 5

‎08-05-2013 10:47 PM

Jouni is correct. You simply specify multiple peers in the crypto map policy. It will attempt them in the configured order. Don't forget to create the tunnel-group for the subsequent peers.

Regards,
Mike


Sent from Cisco Technical Support Android App

0 Helpful

vaniello
Level 1
Level 1
In response to Mike Williams

‎08-06-2013 06:59 AM

This doesn't seem to work when the site-to-site VPN is between a Cisco and a non-Cisco device.  Does anyone have failover working with a Cisco peer on one side of the connection and a non-Cisco device (Sonicwall in my case) on the other?

Thanks.

V/

0 Helpful

Mike Williams
Level 5
Level 5
In response to vaniello

‎08-06-2013 06:53 PM

I want to clarify your topology. You hava a Cisco ASA and a Sonicwall. You have two ISP connections on each firewall for redundancy. You want to configure the ASA to use both the Sonicwall IP's in case one of the Sonicwall ISP connections goes down and vice versa.

The configuration on the ASA is completely independent of the remote device. You just need to configure the crypto map entry with both peer IP's of the Sonicwall, such as:

     crypto map VPNMAP 10 set peer 1.1.1.1 2.2.2.2

You also need to make sure you have a tunnel group for each of the peer IP addresses with the same PSK. I have this configuration working just fine on several ASA devices without knowing the remote device, and a few others with various flavors of firewalls.

IIRC the Sonicwall also allows you to configure a secondary peer gateway IP for the IPSec configuration.

I also want to state that the ASA and Sonicwall will both attempt their primary peer IP addresses first, and if those fail, then they will fall back to the backup peer. There needs to be end-to-end connectivity and proper routing at each end for this to work.

If this is still not working, please provide VPN debugs from the ASA:

logging buffer-size 999999

logging buffered debugging

debug crypto isa 200

debug crypto ips 200

clear logging buffer

then try to bring up/failover the tunnel.

Regards,

Mike

0 Helpful

rudyg
Level 1
Level 1
In response to Mike Williams

‎02-13-2019 10:53 AM - edited ‎02-13-2019 10:59 AM

Is there anyway to speed up the failover between the peers? I've set up 2 peers and tested the failover but it seems like reestablishing of tunnel using 2nd peer takes close to 1 minute. Would this be possible? 

0 Helpful

Chheang Va
Level 1
Level 1

‎06-15-2015 07:50 AM

I know this is from 2 years ago but did you ever get this to work?

Thanks.

0 Helpful

john.deer
Level 1
Level 1

‎02-08-2018 06:32 AM - edited ‎02-08-2018 06:33 AM

Jouni and Mike are correct, but unfortunately this multiple peer IP's is not working if you are using IKEv2.

You can configure it, but in log you will see:

 

Feb 08 2018 03:38:21: %ASA-4-752009: IKEv2 Doesn't support Multiple Peers
Feb 08 2018 03:38:23: %ASA-3-752006: Tunnel Manager failed to dispatch a KEY_ACQUIRE message.  Probable mis-configuration of the crypto map or tunnel-group.  Map Tag = vpnpeer.  Map Sequence Number = 10.

 

So probably the only way is to use New Connection Profile / new higher sequence number for the same crypto map with secondary peer configuration.

Customers Also Viewed These Support Documents