Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
471
Views
0
Helpful
2
Replies

question about site to site tunnel failover and redundancy

Go to solution
west33637
Level 1
Level 1

‎01-30-2011 07:43 PM

first I create the below crypto map,

crypto map IPSec_map 10 match address encrypt-acl
crypto map IPSec_map 10 set peer 209.165.201.1

crypto map IPSec_map 10 set transform-set myset

crypto map IPSec_map 10 set reverse-route

Then I configure a 2nd map statement, matching the same ACL.

crypto map IPSec_map 20 match address encrypt-acl
crypto map IPSec_map 20 set peer 23.10.10.10

crypto map IPSec_map 20 set transform-set myset

crypto map IPSec_map 20 set reverse-route

My first question is - since the crypto maps are processed in sequence, does this mean the first VPN tunnel (map 10) will always be used if its up?

if so what happens when the remote peer 209.165.201.1 becomes unreachable? does the tunnel to the 23.10.10.10 peer automatically take over?

what is the best way to achieve a primary and backup site to site VPN where 209.165.201.1 is primary and 23.10.10.10 is backup and comes up only when the primary is down?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-30-2011 08:42 PM

Hi,

As you mentioned the crypto maps are processed in order.

If both crypto maps have the same ''interesting traffic'' then the second crypto map will never be used (first crypto map will be used).

The best way to achieve redundancy is to do the following:

crypto map IPSec_map 10 match address encrypt-acl
crypto map IPSec_map 10 set peer 209.165.201.1 23.10.10.10

crypto map IPSec_map 10 set transform-set myset

crypto map IPSec_map 10 set reverse-route

Note from the above example that you defined a single crypto map instance having two peers. The first peer is going to be tried first and if no response, the second peer will be used as a backup.

Hope it helps.


Federico.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-30-2011 08:42 PM

Hi,

As you mentioned the crypto maps are processed in order.

If both crypto maps have the same ''interesting traffic'' then the second crypto map will never be used (first crypto map will be used).

The best way to achieve redundancy is to do the following:

crypto map IPSec_map 10 match address encrypt-acl
crypto map IPSec_map 10 set peer 209.165.201.1 23.10.10.10

crypto map IPSec_map 10 set transform-set myset

crypto map IPSec_map 10 set reverse-route

Note from the above example that you defined a single crypto map instance having two peers. The first peer is going to be tried first and if no response, the second peer will be used as a backup.

Hope it helps.


Federico.

0 Helpful

Go to solution
west33637
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-31-2011 01:16 PM

Thanks!

0 Helpful
Customers Also Viewed These Support Documents