Failover VPNs ASA -> 3rd Party Device

justinfielding · ‎07-09-2014

I have an interesting scenario and can't work out how to solve my problem.

We have multiple sites. Each site has two P2P links back to different data centres, in turn the data centres are connected via P2P links. OSPF runs across the network to provide redundant routing so there is no single point of failure. Two of the data centres have Internet breakout via Fortigate firewalls. These participate in OSPF and advertise weighted default routes to the rest of the network. This all works well.

The problem I have relates to one site which connects in via an IPSEC tunnel (from an ASA to the Fortigate in the Primary DC). I need to set things up so that if the firewall in the Primary DC goes down for whatever reason, the ASA at the remote site initiates a VPN connection to the firewall in the Secondary DC.

From what I have found online if we had ASAs at both ends I could make use of the Backup Lan-to-Lan feature. If we had IOS routers (or at least an IOS router at the remote site rather than an ASA) I could use the IPsec Preferred Peer option.

Does anyone know how I can achieve what I need with the hardware currently in place? If I need to replace hardware then swapping out the ASA on the remote site for a Fortigate will likely be the easiest and most cost effective route to take.

Marcin Latosiewicz · ‎07-13-2014

Justin,

Yeah ASA is limited in terms of options compared to IOS.

However what you can do is to have ASA in "respond only" mode for a crypto map entry (with IP addresses of both gateways).

In this scenario it would be up to the DC side to initiate the tunnels to ASAs (and pick which one should initiate).

May or may not work in your setup.

Also worth mentioning is that we recently added support for this:

https://tools.cisco.com/bugsearch/bug/CSCui57181/?reffering_site=dumpcr

Again may or may not work for you.

M.

justinfielding · ‎07-13-2014

Thanks for the reply Marcin. Both of your suggestions are good ones, however in this scenario both DC firewalls are alive at the same time, so there needs to be some kind of logic on the device at the remote site to say that it should only use tunnel B if tunnel A is down.

Thinking on this, is it possible to run an 'interface' or 'routed' mode IPSEC VPN with the ASA? I know this is possible with the Fortigates and think it's the default mode for Junipers. If that were possible we might be able to have both tunnels up and have OSPF run over them which would be another way to solve this problem.

Marcin Latosiewicz · ‎07-13-2014

No routed VPN support on ASA, we've been fighting for it for ages, not that it helps you much.

Marcin Latosiewicz · ‎07-13-2014

How many interfaces facing "outside" do you have on those ASAs?

justinfielding · ‎07-14-2014

Just one outside interface.

The ASA's lack of functionality is very disappointing, it's not like they are cheap and cheerful consumer units. It looks like I'm going to have to propose swapping it out for a Fortigate.

I find it really odd that in switching and routing Cisco are great but for firewalls so behind, particularly the ASAs. It seems like an ISR actually has better capabilities.

Marcin Latosiewicz · ‎07-15-2014

Justin,

ISR/ASR are indeed more feature rich in terms of IPsec. ASA would have more/better remote access capabilities.

Bring it up with your SE if you have the time, they don't neccessary like when Cisco stuff if being swapped out, plus they can sit with you and look at the overall design and suggest what can be done.

That last is very hard to do via forums :-)

M.