Dual ISP to Active/Standby ASA with port channel failover

garrycorker · ‎09-22-2021

We're currently making our network more resilient. Our current setup is Single ASA with Single ISP. Our plan ahead and currently testing is utilizing 2 ASA configure FPR2000 series firewalls with port channel redundancy connected to a stacked C9200's.

Will port channels facilitate this dual ISP with HA pair failover or should we use port to port connectivity between the switches and firewalls? We have two site-to-site VPN's with static routes weighted to failover. We can establish BGP between the two ISP links and site-to-site VPNS. Failover is successful

Need a little help. We can manually fail over using this method. The second site-to-site comes up but only allows one way traffic.

Rob Ingram · ‎09-22-2021

@garrycorker

Use IP SLA to track the ISP, if the first ISP fails the route will drop and automatically failover to the 2nd ISP.

Use Dead Peer Detection (DPD) to detect failure of a VPN peer and clear the IPSec SAs.

Use Reverse Route Injection (RRI) to advertise the remote networks on the connect tunnel. In the event of failover the routes will be removed from the first tunnel and re-added once the 2nd tunnel is up.

You will need to ensure you have your NAT exemption rules in place for both ISP interfaces, so traffic is not unintentially translated.

garrycorker · ‎09-23-2021

We're getting these errors,

FW1 errors:

MAC encrypt: MAC UNDEF Digest Init failed.

Site to site vpn through ISP2 will establish site to site vpn and will transmit but will not recieve.

FW1 to FW2 failover is in failed status.

On Distant end FW when adding a connection profile for site to site vpn, in ASDM GUI when adding it to CCSD2 interface, it automatically adds to CCSD1 as well. There is no way to only add it to one of them alone. I can do this on FW1. IF you delete a crypto map from one interface it does it to both. You cannot delete from only one.