cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1236
Views
0
Helpful
5
Replies

failover to different tunnels on ASA with one ISP, is this possible?

John Peterson
Level 1
Level 1

Hi,

I have an ASA5515 and our remote sites which have a mesh topology of VPN.

At some times of the day router to particular links are down do to the ISP core, but the tunnels from the same firewall can communicate to other sites.

Is it possible to have a way where you could route traffic to another ASA which has a connection to both the ASA which want to communicate and have the traffic hairpinned, I know this is possible but is it possible to make this automated?

Thanks.

5 Replies 5

Hi John,

I think this is possible with IP SLA, for instance:

sla monitor 10

type echo protocol ipIcmpEcho 1.1.1.2 interface outside >The IP is only reachable across the Core Router's connection

num-packets 4

frequency 10

!

sla monitor schedule 10 life forever start-time now

!

track 10 rtr 10 reachability

!

route outside 0.0.0.0 0.0.0.0 10.1.1.1 track 10 ---> Core Router

route outside 0.0.0.0 0.0.0.0 10.1.1.2 254 ---> Backup ASA

So the 1.1.1.2 IP is your Core Router IP, if it stops responding to ICMP requests then the ASA will uninstall the route from the routing table and the second one, pointing to another ASA (where the hairpining occurs) will take effect.

More information:

ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example

Let me know.

Portu.

Please rate any post you find usesul.

Hi Javier,

Maybe it will help if I explain our network.

If you think of it like a triangle with the top with ASA A, Left ASA B and right ASA C.

All ASA have one ISP link but ASA B and C have a site to site to ASA A.

Problem is some times the link between ASA A and ASA C fail because the ISP routers has packet loss. But both devices can access the internet.

I know it is possible to have a tunnel with ASA B and C. But is it possible to tell the ASA that is the tunnel drops from ASA A to B then all traffic with a destination of ASA C, internal network should go via ASA B?

Can you use dymanic routing, I know you can use OSPF. But I can't seem to think it would work?

John,

Please attach a network topology.

Thanks.

Hi,

The red line is the new VPN and I want to route all taffic to the priviate network behind ASA C is the VPN betwenn ASA A and ASA C drops. The traffic should be routerd via ASA B.

Thanks

John,

Thanks for the attachment.

All you have to do is:

ROUTER C

crypto map outside_map 10 set peer ASA_A_IP ASA_B_IP

If the tunnel to A comes down then a new tunnel to ASA_B_IP will try to come up.

So basically we are adding a backup peer.

Please let me know.

Thanks.