Solved: Cisco ASA redundant vpn problem?

shanefalco · ‎10-05-2011

Hi all,

I have a ASA 5500 series firewall and need to define another peer ip for site2sitevpn connection.Actually my aim is, ASA tries first peer ip of site2site tunnel, when ASA can not not reach this ip, try to reach another ip which i defined before.I can configure this scenerio on Cisco Router with this commands;


crypto map tohub 1 ipsec-isakmp

 set peer 10.1.1.1 default

 set peer 10.2.2.2

but i wonder that can i do that on ASA?

Thanks.

Best Regards.

Marcin Latosiewicz · ‎10-05-2011

Shane,

You can configure multiple IP addresses under same set peer entry on ASA, but it will not work the same as on IOS with preferred peer, it will cycle between the defined peers.

Marcin

View solution in original post

Marcin Latosiewicz · ‎10-05-2011

Shane,

You can configure multiple IP addresses under same set peer entry on ASA, but it will not work the same as on IOS with preferred peer, it will cycle between the defined peers.

Marcin

shanefalco · ‎10-05-2011

Thank you Marcin,

You mean, when we use set peer 192.168.1.2 172.29.68.12 , there is no preemption mechanism between those IP's, acting like round robin algoritm right?

Marcin Latosiewicz · ‎10-05-2011

Shane,

Yup, I believe the command reference is accurate on this one:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/c5.html#wp2278871

Configuring multiple peers is equivalent to providing a fallback list. For each tunnel, the security appliance attempts to negotiate with the first peer in the list. If that peer does not respond, the security appliance works its way down the list until either a peer responds or there are no more peers in the list. You can set up multiple peers only when using the backup LAN-to-LAN feature (that is, when the crypto map connection type is originate-only). For more information, see the

crypto map set connection-type

command.

M.