Raga,

      Thanks for taking the time to reply!  I wasn't sure it would be that easy to just basically setup the same config on each firewall (as far as the peer and the tunnel-groups).  It will take me maybe a week or so to actually test the failover but I will let you know how it works. Thanks again!

-Bobby

Sure anytime.

Raga,

      I was able to get this tested and haven't had any luck -  i've got everything configured properly as far as the crypto maps,  tunnel groups and peers go - but here is what I am seeing.  When I fail  this over (at the remote office) by disconnecting the WAN side, that  firewall shows the tunnel going down, however, my main office still  shows the tunnel as up, and even after reconnecting the WAN connection  back I have to maually kill the tunnel on the main office side and then  it rebuilds right away.

-Bobby

Try adding this command on both sites:

isakmp keepalive 10 2

This would constantly check if the remote peer is down and tear down the tunnel automatically.

Is this command used in conjunction with the SLA tracking to monitor the actual interface?  Or do you use one-or-the-other?

Actually, the command is to monitor the VPN peer and tear the tunnel down if the remote peer doesnt respond. It will afect only the VPN connection.

You would still need the SLA tracking to monitor the interface.

OK - gave that a shot - didn't work either.  However, I think I may be fighting the existing config which is making things a bit more complicated.  I was holding off on letting that out because I though I'd be able to deal with it and make the changes necessary to adapt the config - that's proving to be a little difficult.  Let me explain.

Firewall 1 - configured only for testing

2 WANs configured - SLA tracking and failover configured

1 LAN for testing

site-to-site is configured to the remote office (firewall 2) on the primary WAN interface (also the default gateway)

Default gateway is out WAN1, no other routing is being done, no other VPN connections exist

Firewall 2 - Production firewall in a remote location (already configured by previous IT)

2 WANs configured - SLA tracking and failover configured

1 LAN - production remote network.

site-to-site with another location, and site-to-site to the test firewall (firewall1) configured on the backup WAN interface

Default gateway is out WAN1 for most traffic going to the internet.  Any traffic that is going to other subnets in the company follow a static route that points the traffic down the backup WAN interface (where the site-to-site exists).

--

The testing I have been doing has not been working, however I think it may be because the configuration on the remote firewall (firewall 2) is overly complicated.  Backup interface, obviously not being the primary but holding the VPN tunnels anyway and also that interface not having any SLA tracking setup so when I disconnect that connection from the firewall, nothing fails over..

I'm thinking that I need to configured Firewall2 like Firewall1 and get the VPN tunnels down the main WAN side so it can work with the SLA monitoring and whatnot. 

I'm not sure if this is the answer but I think it might clear things up.  Do you see a problem with running with the config on the Firewall2 or do you think it should be changed..

hope I made some sense...

thanks!!

Well, I agree with you I think you would need to configure Firewall 2 as firewall 1, specially the SLA part first and then once  you have that working start playing with the VPN backup peers.

Raga - that seemed to do the trick - Once I cleaned up the remote firewall and reconfigured the tunnel between it and my central office firewall, redundancy seems to be working on both sides.  Thanks for the help!

Hey Glad to hear that! Have a good one!

how do i have VPN redundancy on ASA 5520 on 8.3 IOS, i have activated SLA and configured VPN on outside and backup. how do i achieve redundant over VPN on 8.3 IOS?