cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8888
Views
0
Helpful
12
Replies

IPSEC VPN Redundancy, help!

rjberetto
Level 1
Level 1

Hey everyone - got a question I hope you guys can sort out for me.  I've got a setup with (to start with) two office, both with ASA's and both with dual WAN connections (different providers) on each with failover configured using tracking - this part is working just fine.  I've also configured a failover VPN tunnel between the sites as well using this post (

https://supportforums.cisco.com/community/netpro/security/vpn/blog/2011/04/25/ipsec-vpn-redundancy-failover-over-redundant-isp-links) and it works fine as well, however, the scenario in the post talks about one office having 2 WAN connections and the other office having 1 WAN connection.  Now i've configured my firewalls to match this post as far as the failover VPN goes and it works, but it's only utilizing one WAN connection at the remote site.  In my senario, I want to make use of the secondary WAN connection at the remote site for VPN redundancy.  Any Ideas on how I can get this to work with what I've got?

PS: I already sent a message to the user that posted the scenario in the link above and haven't heard anything back - this is why I'm taking it to everyone.

Thanks in advance guys!

-Bobby

1 Accepted Solution

Accepted Solutions

raga.fusionet
Level 4
Level 4

Hi Bobby,

Just as you did with the first one you need to apply the crypto map to both interfaces on the remote site for example

crypto map VPN-map interface Primary

crypto map VPN-map interface Backup

And configure back up peers on the main site so that if the primary connection of the remote site is down, it will try the backup connection:

crypto map Outside_map 20 set peer 1.1.1.1 2.2.2.2

Same for the tunnel groups:

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

  pre-shared-key *

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

  pre-shared-key *

HTH

Raga

View solution in original post

12 Replies 12

raga.fusionet
Level 4
Level 4

Hi Bobby,

Just as you did with the first one you need to apply the crypto map to both interfaces on the remote site for example

crypto map VPN-map interface Primary

crypto map VPN-map interface Backup

And configure back up peers on the main site so that if the primary connection of the remote site is down, it will try the backup connection:

crypto map Outside_map 20 set peer 1.1.1.1 2.2.2.2

Same for the tunnel groups:

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

  pre-shared-key *

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

  pre-shared-key *

HTH

Raga

Raga,

      Thanks for taking the time to reply!  I wasn't sure it would be that easy to just basically setup the same config on each firewall (as far as the peer and the tunnel-groups).  It will take me maybe a week or so to actually test the failover but I will let you know how it works. Thanks again!

-Bobby

Sure anytime.

Raga,

      I was able to get this tested and haven't had any luck -  i've got everything configured properly as far as the crypto maps,  tunnel groups and peers go - but here is what I am seeing.  When I fail  this over (at the remote office) by disconnecting the WAN side, that  firewall shows the tunnel going down, however, my main office still  shows the tunnel as up, and even after reconnecting the WAN connection  back I have to maually kill the tunnel on the main office side and then  it rebuilds right away.

-Bobby

Try adding this command on both sites:

isakmp keepalive 10 2

This would constantly check if the remote peer is down and tear down the tunnel automatically.

Is this command used in conjunction with the SLA tracking to monitor the actual interface?  Or do you use one-or-the-other?

Actually, the command is to monitor the VPN peer and tear the tunnel down if the remote peer doesnt respond. It will afect only the VPN connection.

You would still need the SLA tracking to monitor the interface.

OK - gave that a shot - didn't work either.  However, I think I may be fighting the existing config which is making things a bit more complicated.  I was holding off on letting that out because I though I'd be able to deal with it and make the changes necessary to adapt the config - that's proving to be a little difficult.  Let me explain.

Firewall 1 - configured only for testing

2 WANs configured - SLA tracking and failover configured

1 LAN for testing

site-to-site is configured to the remote office (firewall 2) on the primary WAN interface (also the default gateway)

Default gateway is out WAN1, no other routing is being done, no other VPN connections exist

Firewall 2 - Production firewall in a remote location (already configured by previous IT)

2 WANs configured - SLA tracking and failover configured

1 LAN - production remote network.

site-to-site with another location, and site-to-site to the test firewall (firewall1) configured on the backup WAN interface

Default gateway is out WAN1 for most traffic going to the internet.  Any traffic that is going to other subnets in the company follow a static route that points the traffic down the backup WAN interface (where the site-to-site exists).

--

The testing I have been doing has not been working, however I think it may be because the configuration on the remote firewall (firewall 2) is overly complicated.  Backup interface, obviously not being the primary but holding the VPN tunnels anyway and also that interface not having any SLA tracking setup so when I disconnect that connection from the firewall, nothing fails over..

I'm thinking that I need to configured Firewall2 like Firewall1 and get the VPN tunnels down the main WAN side so it can work with the SLA monitoring and whatnot. 

I'm not sure if this is the answer but I think it might clear things up.  Do you see a problem with running with the config on the Firewall2 or do you think it should be changed..

hope I made some sense...

thanks!!

Well, I agree with you I think you would need to configure Firewall 2 as firewall 1, specially the SLA part first and then once  you have that working start playing with the VPN backup peers.

Raga - that seemed to do the trick - Once I cleaned up the remote firewall and reconfigured the tunnel between it and my central office firewall, redundancy seems to be working on both sides.  Thanks for the help!

Hey Glad to hear that! Have a good one!

how do i have VPN redundancy on ASA 5520 on 8.3 IOS, i have activated SLA and configured VPN on outside and backup. how do i achieve redundant over VPN on 8.3 IOS?