I'm working on internet tunnel redundancy using seperate ASA's. Each ASA is connected to a seperate ISP. The ISP's are not peering as I ddont have a /24 block. The architecture is a headend site with an active/standby HA pair of ASA's connected to a remote site with two non-HA ASA's. The first challenge was making the internet failover. Now that I've accomplished that, I'm trying to get the IPSec tunnel to failover from one ASA to the other.
The remote site core router defaults subnets destined for the headend site to the internet. No statics or dynamic routes needed. When the primary ISP fails, all internet and tunnel bound traffioc follows the new default route to the second ASA/ISP. The tunnel does not establish. I see an MM_WAIT)MSG3 status for phase1 and no phase2 messages in my logs. My crypto maps are identical.
I read that to accomplish this type of failover for tunnels was to setup the headend site using dynamic crypto maps and the remote end as static crypto maps. I could not find any cisco doc on this and I'm not sure if 1) this is true, and 2) if it is true, what type of static crypto map for the remote ASA's, bidirectional, originate only or answer only.
So my primary question is, how do I configure the ASA's to fail over from one ISP to the other at the remote site, and what is the supported way to configure the headend endpoint as well?
Hello All, We are using appliance SNS-3495 with 18.104.22.1680 version patch 15. As per the notification pop, Flash player support to end on December 2020 and we are unable to login to CIMC Console for a re-imaging activity. My query1. Can...
Which Cisco Secure products include access to SecureX?
Eventually, all will. At the current time, a license to any of the Cisco products listed here grants immediate rights to use the SecureX platform:https://www.cisco.com/c/en/us/product...
More people are working remotely, and this increases the risk of security breaches and the difficulty in defending remote workers where they work and securing the devices they use.
Learn about Cisco Remote Secure Worker solutions that verify workers, secu...
ISE Node Terminology
Policy Administration Node
Monitoring & Troubleshooting Node
Policy Services Node
Platform Exchange Grid Node
The single plane of glass for ISE administration and configuration operatio...
On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distr...