Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1146
Views
7
Helpful
17
Replies

Best technology to implement failover to remote backup l2l VPN?

Go to solution
jmaxwellUSAF
VIP
VIP

‎03-17-2023 06:36 AM

Hello.

TASK: implement technology so that when l2l VPN to vendor fails, EIGRP routing will redirect traffic to distant backup VPN.

Options: BGP config, SLA config, DPD config, (other)

Which option would you implement & why?

Thank you.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎03-20-2023 06:13 AM

@jmaxwellUSAF so assuming location1 has the active VPN. Advertise the vendor networks into your local network using the routing protocol that you run on the DMVPN, then switch2 in location2 will learn the networks and route over the DMVPN to access the vendorlocation1. If the VPN from location1 to vendorlocation1 fails, then establish a tunnel via the location2 FW to vendorlocation1 and advertise the vendorlocation routes into the local network, location1 will then learn these routes and route over the DMVPN to reach the vendorlocation1.

Another option is to have both VPNs active, but use a routing metric to prefer one VPN over the other. If one VPN fails, the routes disappear and traffic is routed via the other VPN.

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎03-20-2023 06:34 AM - edited ‎03-20-2023 06:35 AM

@jmaxwellUSAF if using Policy Based VPN use Reverse Route Injection (RRI) on the Firewall inconjuction with a routing protocol (any) which will advertise the remote peer network(s) into the routing table of your local network (DMVPN and the other sites). When the VPN to the vendor fails, RRI will remove the remote networks from the Firewall and subsequently the routing table of the other devices in your network.

View solution in original post

17 Replies 17

Go to solution
Rob Ingram
VIP
VIP

‎03-17-2023 06:38 AM - edited ‎03-17-2023 06:43 AM

@jmaxwellUSAF use a route based VPN.

Personally I'd use FlexVPN. Peer with primary hub router, use EIGRP/OSPF/BGP routing protocol, if failure of the primary router DPD detects the failure and establishes a tunnel to the next peer, routing adjacency established.

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/116413-configure-flexvpn-00.html

On ASA or FTD you can also use VTI.

Go to solution
MHM Cisco World
VIP
VIP

‎03-17-2023 06:48 AM

 

friend this your fifth time you ask about failover of VPN, and you are right to ask about 
the case and config is different you have many many cases 
case1
ASA with dual ISP connect to other ASA with only one ISP 
case2
ASA with dual ISP connect to other ASA with dual ISP 
case3
two ASA connect to other ASA with only one ISP 
case4
two ASA connect to other ASA with dual  ISP 
case5 
two ASA connect to two ASA 

which case you have ??

Go to solution
jmaxwellUSAF
VIP
VIP
In response to MHM Cisco World

‎03-17-2023 08:22 AM - edited ‎03-17-2023 08:26 AM

(Some of my posts are definitely different situation than this post.) This post...

MyEnterprise-ASA5525-location1 <==> ISP1 <==> VendorLocation1

MyEnterprise-ASA1120-location2 <==> ISP2 <==> VendorLocation1

-ASA1 and ASA2 communicate with EIGRP.

-There are many vendors in same above architecture that this solution must satisfy.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎03-17-2023 08:37 AM

@jmaxwellUSAF you are reliant on what the vendor has configured and what they are prepared to support. Are you completely redesigning the current VPN or are these new VPNs?

 

 

0 Helpful

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎03-17-2023 10:33 AM

MyEnterprise-ASA5525-location1 <==> ISP1 <==> VendorLocation1

All vendors exist in above. Zero vendors exist in backup location (No VPNs there yet.)

0 Helpful

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎03-20-2023 05:30 AM

A single VPN exists now. My boss wants me to erect a backup VPN at our different branch location. 

Part of my administrative task is to convince the vendor of the need for this backup VPN. 

I investigated Flex VPN, but that seems to be practical only for VPN's withing a single enterprise.

I expect BGP is the best way to go, but I am not sure at all. What are your thoughts?

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎03-20-2023 05:42 AM

@jmaxwellUSAF FlexVPN is a good solution if you control it end to end, but as you don't control the other end use ASA or FTD.

Are you currently using a policy or routed based VPN at present?

I assume you want both location1 and location2 to access the vendorlocation1 via either tunnel, so do your location1 and location2 sites have a direct link (fibre, MPLS etc) or do they communicate via a VPN between the FTD and ASA?

 

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎03-20-2023 06:02 AM - edited ‎03-20-2023 06:02 AM

"they communicate via a VPN between the FTD and ASA?"

www1 <==> ASA5525 <==> switch1 <==> router1 <=DMVPN=> router2 <==> switch2 <==> ASA1100 <==> www2

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎03-20-2023 06:13 AM

@jmaxwellUSAF so assuming location1 has the active VPN. Advertise the vendor networks into your local network using the routing protocol that you run on the DMVPN, then switch2 in location2 will learn the networks and route over the DMVPN to access the vendorlocation1. If the VPN from location1 to vendorlocation1 fails, then establish a tunnel via the location2 FW to vendorlocation1 and advertise the vendorlocation routes into the local network, location1 will then learn these routes and route over the DMVPN to reach the vendorlocation1.

Another option is to have both VPNs active, but use a routing metric to prefer one VPN over the other. If one VPN fails, the routes disappear and traffic is routed via the other VPN.

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎03-20-2023 06:29 AM - edited ‎03-20-2023 06:29 AM

"Another option is to have both VPNs active, but use a routing metric to prefer one VPN over the other. If one VPN fails, the routes disappear and traffic is routed via the other VPN."

But how to set up alert to routers that primary VPN has failed (the vpn link is not using EIGRP because of foreign vendor AS-- no dynamic routing protocol exists on this link)? Seems there is 3 solutions on this point...

Options: BGP config, SLA config, DPD config, (other).

I have been advised BGP is best. But that seems to imply injecting IBGP routes into network. What are your thoughts?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎03-20-2023 06:34 AM - edited ‎03-20-2023 06:35 AM

@jmaxwellUSAF if using Policy Based VPN use Reverse Route Injection (RRI) on the Firewall inconjuction with a routing protocol (any) which will advertise the remote peer network(s) into the routing table of your local network (DMVPN and the other sites). When the VPN to the vendor fails, RRI will remove the remote networks from the Firewall and subsequently the routing table of the other devices in your network.

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎03-20-2023 06:51 AM

"When the VPN to the vendor fails, RRI will remove the remote networks"

How does the router know that the VPN link has failed?-- How does RRI technology alert the router that the link is now down (It detects keepalives?) ?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎03-20-2023 06:54 AM

@jmaxwellUSAF Dead Peer Detection (DPD) keepalives determine whether there is communication between the VPN peers, if not will tear down the tunnel, which would then remove the RRI learnt routes of the remote networks.

https://community.cisco.com/t5/security-knowledge-base/dead-peer-detection/ta-p/3111324

 

0 Helpful

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎03-20-2023 06:57 AM

OK, so RRI triggers the DPD technology, correct?

Without RRI, the DPD would not be in use, so if the link failed, nothing would know, correct?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents