Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1342
Views
5
Helpful
2
Replies

Dual ISP to Active/Standby ASA with port channel failover

garrycorker
Level 1
Level 1

‎09-22-2021 10:07 AM

We're currently making our network more resilient. Our current setup is Single ASA with Single ISP. Our plan ahead and currently testing is utilizing 2 ASA configure FPR2000 series firewalls with port channel redundancy connected to a stacked C9200's. 

Will port channels facilitate this dual ISP with HA pair failover or should we use port to port connectivity between the switches and firewalls? We have two site-to-site VPN's with static routes weighted to failover. We can establish BGP between the two ISP links and site-to-site VPNS. Failover is successful 

 

Need a little help. We can manually fail over using this method. The second site-to-site comes up but only allows one way traffic. 

Labels:
Preview file
30 KB
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎09-22-2021 10:25 AM

@garrycorker 

Use IP SLA to track the ISP, if the first ISP fails the route will drop and automatically failover to the 2nd ISP.

 

Use Dead Peer Detection (DPD) to detect failure of a VPN peer and clear the IPSec SAs.

 

Use Reverse Route Injection (RRI) to advertise the remote networks on the connect tunnel. In the event of failover the routes will be removed from the first tunnel and re-added once the 2nd tunnel is up.

 

You will need to ensure you have your NAT exemption rules in place for both ISP interfaces, so traffic is not unintentially translated.

 

garrycorker
Level 1
Level 1
In response to Rob Ingram

‎09-23-2021 06:48 AM

We're getting these errors,
 
FW1 errors:
MAC encrypt: MAC UNDEF Digest Init failed.
MAC encrypt: MAC UNDEF Digest Init failed.
MAC encrypt: MAC UNDEF Digest Init failed.
 
Site to site vpn through ISP2 will establish site to site vpn and will transmit but will not recieve. 
 
FW1 to FW2 failover is in failed status.
 
 
On Distant end FW when adding a connection profile for site to site vpn, in ASDM GUI when adding it to CCSD2 interface, it automatically adds to CCSD1 as well. There is no way to only add it to one of them alone. I can do this on FW1. IF you delete a crypto map from one interface it does it to both. You cannot delete from only one. 
0 Helpful
Customers Also Viewed These Support Documents