Help with VPN from 2 Datacenters to 1 Cisco ASA 5505 (diag to explain)

ajwhite0 · ‎07-20-2021

Hello,

We have a site to site VPN from our Datacenter A to a Cisco ASA 5505 over the Internet which is working fine, we don't manage the Cisco ASA as it's managed by an ISP we use. We've been asked to setup redundancy from Datacenter B to this Cisco 5505. We have configured both Cisco 3900's, but when the ISP add the 2nd tunnel to the ASA the VPN goes down. Of course both 3900's have their own public IP, they also have BGP setup so both datacenters can get to each other.

The VPN goes down when the ISP add the 2nd tunnel config to their ASA for Site B as (we think) the remote subnets configured are the same on their tunnel to site A and B which the need to be. The ASA can't do route based policies apparently, but they ( the ISP) say it can do policy based routing which should help. The ASA doesn't know which VPN should be that active/primary one.

At this point I'm confused and it's a little over my head/knowledge now. Any ideas/help would be most appreciated.

Thanks

Pawan Raut · ‎07-21-2021

Assuming both the vpn using same encryption domain then on ASA instead of creating two separate VPN for Datacenter A and B; create the single VPN using two peer IP of Datacenter A and B using

crypto map <name of cryptomap> xx set peer <Datacenter A Public IP> <DataCenter B Public IP>