03-17-2023 06:36 AM
Hello.
TASK: implement technology so that when l2l VPN to vendor fails, EIGRP routing will redirect traffic to distant backup VPN.
Options: BGP config, SLA config, DPD config, (other)
Which option would you implement & why?
Thank you.
Solved! Go to Solution.
03-20-2023 06:13 AM
@jmaxwellUSAF so assuming location1 has the active VPN. Advertise the vendor networks into your local network using the routing protocol that you run on the DMVPN, then switch2 in location2 will learn the networks and route over the DMVPN to access the vendorlocation1. If the VPN from location1 to vendorlocation1 fails, then establish a tunnel via the location2 FW to vendorlocation1 and advertise the vendorlocation routes into the local network, location1 will then learn these routes and route over the DMVPN to reach the vendorlocation1.
Another option is to have both VPNs active, but use a routing metric to prefer one VPN over the other. If one VPN fails, the routes disappear and traffic is routed via the other VPN.
03-20-2023 06:34 AM - edited 03-20-2023 06:35 AM
@jmaxwellUSAF if using Policy Based VPN use Reverse Route Injection (RRI) on the Firewall inconjuction with a routing protocol (any) which will advertise the remote peer network(s) into the routing table of your local network (DMVPN and the other sites). When the VPN to the vendor fails, RRI will remove the remote networks from the Firewall and subsequently the routing table of the other devices in your network.
03-17-2023 06:38 AM - edited 03-17-2023 06:43 AM
@jmaxwellUSAF use a route based VPN.
Personally I'd use FlexVPN. Peer with primary hub router, use EIGRP/OSPF/BGP routing protocol, if failure of the primary router DPD detects the failure and establishes a tunnel to the next peer, routing adjacency established.
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/116413-configure-flexvpn-00.html
On ASA or FTD you can also use VTI.
03-17-2023 06:48 AM
friend this your fifth time you ask about failover of VPN, and you are right to ask about
the case and config is different you have many many cases
case1
ASA with dual ISP connect to other ASA with only one ISP
case2
ASA with dual ISP connect to other ASA with dual ISP
case3
two ASA connect to other ASA with only one ISP
case4
two ASA connect to other ASA with dual ISP
case5
two ASA connect to two ASA
which case you have ??
03-17-2023 08:22 AM - edited 03-17-2023 08:26 AM
(Some of my posts are definitely different situation than this post.) This post...
MyEnterprise-ASA5525-location1 <==> ISP1 <==> VendorLocation1
MyEnterprise-ASA1120-location2 <==> ISP2 <==> VendorLocation1
-ASA1 and ASA2 communicate with EIGRP.
-There are many vendors in same above architecture that this solution must satisfy.
03-17-2023 08:37 AM
@jmaxwellUSAF you are reliant on what the vendor has configured and what they are prepared to support. Are you completely redesigning the current VPN or are these new VPNs?
03-17-2023 10:33 AM
MyEnterprise-ASA5525-location1 <==> ISP1 <==> VendorLocation1
All vendors exist in above. Zero vendors exist in backup location (No VPNs there yet.)
03-20-2023 05:30 AM
A single VPN exists now. My boss wants me to erect a backup VPN at our different branch location.
Part of my administrative task is to convince the vendor of the need for this backup VPN.
I investigated Flex VPN, but that seems to be practical only for VPN's withing a single enterprise.
I expect BGP is the best way to go, but I am not sure at all. What are your thoughts?
03-20-2023 05:42 AM
@jmaxwellUSAF FlexVPN is a good solution if you control it end to end, but as you don't control the other end use ASA or FTD.
Are you currently using a policy or routed based VPN at present?
I assume you want both location1 and location2 to access the vendorlocation1 via either tunnel, so do your location1 and location2 sites have a direct link (fibre, MPLS etc) or do they communicate via a VPN between the FTD and ASA?
03-20-2023 06:02 AM - edited 03-20-2023 06:02 AM
"they communicate via a VPN between the FTD and ASA?"
www1 <==> ASA5525 <==> switch1 <==> router1 <=DMVPN=> router2 <==> switch2 <==> ASA1100 <==> www2
03-20-2023 06:13 AM
@jmaxwellUSAF so assuming location1 has the active VPN. Advertise the vendor networks into your local network using the routing protocol that you run on the DMVPN, then switch2 in location2 will learn the networks and route over the DMVPN to access the vendorlocation1. If the VPN from location1 to vendorlocation1 fails, then establish a tunnel via the location2 FW to vendorlocation1 and advertise the vendorlocation routes into the local network, location1 will then learn these routes and route over the DMVPN to reach the vendorlocation1.
Another option is to have both VPNs active, but use a routing metric to prefer one VPN over the other. If one VPN fails, the routes disappear and traffic is routed via the other VPN.
03-20-2023 06:29 AM - edited 03-20-2023 06:29 AM
"Another option is to have both VPNs active, but use a routing metric to prefer one VPN over the other. If one VPN fails, the routes disappear and traffic is routed via the other VPN."
But how to set up alert to routers that primary VPN has failed (the vpn link is not using EIGRP because of foreign vendor AS-- no dynamic routing protocol exists on this link)? Seems there is 3 solutions on this point...
Options: BGP config, SLA config, DPD config, (other).
I have been advised BGP is best. But that seems to imply injecting IBGP routes into network. What are your thoughts?
03-20-2023 06:34 AM - edited 03-20-2023 06:35 AM
@jmaxwellUSAF if using Policy Based VPN use Reverse Route Injection (RRI) on the Firewall inconjuction with a routing protocol (any) which will advertise the remote peer network(s) into the routing table of your local network (DMVPN and the other sites). When the VPN to the vendor fails, RRI will remove the remote networks from the Firewall and subsequently the routing table of the other devices in your network.
03-20-2023 06:51 AM
"When the VPN to the vendor fails, RRI will remove the remote networks"
How does the router know that the VPN link has failed?-- How does RRI technology alert the router that the link is now down (It detects keepalives?) ?
03-20-2023 06:54 AM
@jmaxwellUSAF Dead Peer Detection (DPD) keepalives determine whether there is communication between the VPN peers, if not will tear down the tunnel, which would then remove the RRI learnt routes of the remote networks.
https://community.cisco.com/t5/security-knowledge-base/dead-peer-detection/ta-p/3111324
03-20-2023 06:57 AM
OK, so RRI triggers the DPD technology, correct?
Without RRI, the DPD would not be in use, so if the link failed, nothing would know, correct?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide