Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
382
Views
0
Helpful
3
Replies

Creating VPN failover on Cisco ASA (single ISP)

nicholas.batchelor
Level 1
Level 1

‎12-22-2015 12:40 AM

I have a single Cisco ASA (8.4) shown on the left and I currently have two site-to-site VPNs setup to the two third party firewalls shown on the right.

A new circuit has been installed between the two third party sites and I would like to add the ability for the VPN/routing to failover to the other VPN in the event of losing one of the VPNs/third party firewalls.

For example if the top right firewall was to stop working, VPN 1 would drop and traffic destined for 192.168.0.2 would go via VPN 2.

I'm struggling to find any documentation on how to set this up, which leads me to think it may not be possible using the Cisco ASA, hense the reason for posting here. If you don't know then nobody does.

Can someone point me in the right direction or give a name to what I am trying to achieve so I can find some examples please.

Thanks

Labels:
0 Helpful
3 Replies 3

carlguer
Level 1
Level 1

‎12-22-2015 08:58 AM

Hi Nicholas,

This can be achieved by using a second peer on the proper crypto map.

This is how it should look like:

crypto map mymap 10 set peer x.x.x.x y.y.y.y

You can take a look at this link if you need additional information:

https://supportforums.cisco.com/discussion/10795551/asa-804-32-redundant-l2l-vpns

0 Helpful

nicholas.batchelor
Level 1
Level 1
In response to carlguer

‎12-24-2015 04:29 AM

Thanks - So essentially this would just create the VPN1 alongside VPN2. So we'll have two tunnels one carrying the 192.168.0.1 <-> 192.168.0.2 traffic and another carrying the 192.168.0.1 <-> 192.168.0.3 traffic?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to nicholas.batchelor

‎12-24-2015 05:42 AM

I find the post a bit unclear and would like to understand a couple of things better. The original post says that there are already two VPN tunnels set up and running. But it tells us little about them. Are they both connected for the same enterprise? Is there a common set of resources reached through them? Or is there a unique set of subnets through one and a different set of subnets through the other?

It is also not clear how they are connected. The addressing given implies that both peers are on a common subnet. Is that the case? Also the original post indicates a new circuit is installed. But it is not clear what is connected by the new circuit and how that might impact connectivity between these peers. Can you provide some clarification?

I am concerned about the suggestion of configuring a second address on the set peer statement. Are we suggesting that one crypto map statement will use

set peer 192.168.0.2 192.168.0.3

while the other crypto map statement will use

set peer 192.168.0.3 192.168.0.2

In that case if one of the peers fails it will result in the ASA trying to establish two tunnels to the same remote device. And in my experience that is not supported.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents