Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1011
Views
0
Helpful
3
Replies

how to set up backup vpn tunnel over redudant internet connection

carl_townshend
Spotlight
Spotlight

‎11-08-2016 06:31 AM

Hi All

I am having issues getting my backup site to site tunnels working over a backup internet connection.

The settings I have used are

create 2 links on Headend ASA, with 2 static routes, one has a higher metric and sla.

create vpn to remote router going out the primary interface

added 2nd crypto map via backup interface

on remote router

set up vpn to headend router

added second peer to the crypto map for the backup connection

added tunnel group with the second IP address and pre shared key.

I have also added 2 NAT rules on the headend asa sourcing out of primary and secondary interface.

The headend ASA also has routes for each site to site vpn pointing of both isp interfaces, again with different metrics, these are used by the NAT rules "lookup route table to locate egress interface"

I am getting an error on the headend asa, saying


%ASA-3-713258: IP = var1, Attempting to establish a phase2 tunnel on 
var2 interface but phase1 tunnel is on var3 interface. Tearing down old phase1
tunnel due to a potential routing change.

On the remote end, I see the phase 2 complete, but then the headend tears it down saying user requested.

Am I missing something here?

cheers

Labels:
0 Helpful
3 Replies 3

mdussana
Level 1
Level 1

‎11-08-2016 08:07 AM

Hi Carl,

So far it seems the ASA is building PHASE1 and PHASE2 in different interfaces, you could verity this behavior by capturing UDP500 and ESP packets on both interfaces.

You might probably need to an static route to reach the remote peer by the proper interface, since it probably using your default route. This new route should have applied the same SLA.

0 Helpful

carl_townshend
Spotlight
Spotlight
In response to mdussana

‎11-09-2016 03:02 AM

are there any instructions anywhere using ASDM on what I need to do?

do I need 2 tunnel groups setting up on the remote end so there is a pre shared key for both ip addresses ?

cheers

0 Helpful

a.amin@csm-compressor.com
Level 1
Level 1
In response to carl_townshend

‎10-18-2019 07:51 AM

Hello

 

If you still having this issue try to follow below link

 

https://www.youtube.com/watch?v=KDQr5X5lVMY

0 Helpful
Customers Also Viewed These Support Documents