Solved: Re: RA / S2S VPN - Two IP Addresses

Brad_Shawh · ‎11-11-2020

On Site A, I have two ISPs, and both of them are unstable, one ISP works sometimes, sometimes the other.

1) How can I create a S2S VPN to Site B using both these IP addresses such that, if one goes down, the others takes over.

2) I want to create Remote Access VPN, with the ISP situation, what's the best way?

Rob Ingram · ‎11-11-2020

Hi @Brad_Shawh

You can define multiple Site-to-Site peers in a crypto map, e.g.

crypto map CMAP 1 set peer 1.1.1.1 2.2.2.1

This way if the peer detects ISP1 has failed it will attempt to establish a tunnel to the second peer.

For the RAVPN, you can enable on both outside interfaces and on the client anyconnect profile, define a primary ASA and a backup list of peers. If the primary is down anyconnect will attempt to connect to the next peer in the backup list. You would need to use IP SLA to determine when a link is down to failover the default route to the other ISP.

However, you are probably better troubleshooting your ISP issues further. Depending on the ISP issues, you could be flipping between peers randomly.

HTH

View solution in original post

Rob Ingram · ‎11-11-2020

If 2.2.2.2 is the primary address, then you don't need to define it in the backup list.

Also you'd probably want to use an FQDN otherwise you might get certificate errors, unless you've defined the ip address in the certificate.

View solution in original post

Rob Ingram · ‎11-11-2020

Hi @Brad_Shawh

You can define multiple Site-to-Site peers in a crypto map, e.g.

crypto map CMAP 1 set peer 1.1.1.1 2.2.2.1

This way if the peer detects ISP1 has failed it will attempt to establish a tunnel to the second peer.

For the RAVPN, you can enable on both outside interfaces and on the client anyconnect profile, define a primary ASA and a backup list of peers. If the primary is down anyconnect will attempt to connect to the next peer in the backup list. You would need to use IP SLA to determine when a link is down to failover the default route to the other ISP.

However, you are probably better troubleshooting your ISP issues further. Depending on the ISP issues, you could be flipping between peers randomly.

HTH

Brad_Shawh · ‎11-11-2020

Thank you.

The S2S VPN already works.

How do I do this "on the client anyconnect profile, define a primary ASA and a backup list of peers. "?

Rob Ingram · ‎11-11-2020

Use the AnyConnect Profile Editor, e.g.

Brad_Shawh · ‎11-11-2020

If my Public IPs are 1.1.1.1 and 2.2.2.2, is the following all right (assuming I already set the IPSLA tracker)

(can't paste picture, I attached it)

Rob Ingram · ‎11-11-2020

If 2.2.2.2 is the primary address, then you don't need to define it in the backup list.

Also you'd probably want to use an FQDN otherwise you might get certificate errors, unless you've defined the ip address in the certificate.

Brad_Shawh · ‎11-11-2020

I am a bit confused with your last response.

If my FQDN is sslvpn.p1.com, which is what you suggest me to add, fine but where am I actually adding Primary and Secondary IP addresses?

Rob Ingram · ‎11-11-2020

For example, sslvpn.p1.com would resolve to 2.2.2.2 then you'd have another FQDN sslvpnbackup.p1.com which would resolve to 1.1.1.1. You'd define sslvpn1.p1.com as the Primary Server and sslvpnbackup.p1.com under the Backup servers. E.g

Brad_Shawh · ‎11-11-2020

Thank you, Rob! On a quick note, what is the option of "backup servers" in profile editor?

Rob Ingram · ‎11-11-2020

The "Backup Servers" are global for all connections. The backup server list is specific for that connection profile as defined in the Server List (the screenshot above). The servers defined in the Server List take precedence over servers defined in the Backup Servers.

Brad_Shawh · ‎11-11-2020

Appreciate all your responses, thanks a lot, Rob.