11-11-2020 07:32 AM
On Site A, I have two ISPs, and both of them are unstable, one ISP works sometimes, sometimes the other.
1) How can I create a S2S VPN to Site B using both these IP addresses such that, if one goes down, the others takes over.
2) I want to create Remote Access VPN, with the ISP situation, what's the best way?
Solved! Go to Solution.
11-11-2020 07:42 AM
Hi @Brad_Shawh
You can define multiple Site-to-Site peers in a crypto map, e.g.
crypto map CMAP 1 set peer 1.1.1.1 2.2.2.1
This way if the peer detects ISP1 has failed it will attempt to establish a tunnel to the second peer.
For the RAVPN, you can enable on both outside interfaces and on the client anyconnect profile, define a primary ASA and a backup list of peers. If the primary is down anyconnect will attempt to connect to the next peer in the backup list. You would need to use IP SLA to determine when a link is down to failover the default route to the other ISP.
However, you are probably better troubleshooting your ISP issues further. Depending on the ISP issues, you could be flipping between peers randomly.
HTH
11-11-2020 08:40 AM
If 2.2.2.2 is the primary address, then you don't need to define it in the backup list.
Also you'd probably want to use an FQDN otherwise you might get certificate errors, unless you've defined the ip address in the certificate.
11-11-2020 07:42 AM
Hi @Brad_Shawh
You can define multiple Site-to-Site peers in a crypto map, e.g.
crypto map CMAP 1 set peer 1.1.1.1 2.2.2.1
This way if the peer detects ISP1 has failed it will attempt to establish a tunnel to the second peer.
For the RAVPN, you can enable on both outside interfaces and on the client anyconnect profile, define a primary ASA and a backup list of peers. If the primary is down anyconnect will attempt to connect to the next peer in the backup list. You would need to use IP SLA to determine when a link is down to failover the default route to the other ISP.
However, you are probably better troubleshooting your ISP issues further. Depending on the ISP issues, you could be flipping between peers randomly.
HTH
11-11-2020 08:18 AM
Thank you.
The S2S VPN already works.
How do I do this "on the client anyconnect profile, define a primary ASA and a backup list of peers. "?
11-11-2020 08:22 AM
Use the AnyConnect Profile Editor, e.g.
11-11-2020 08:36 AM
11-11-2020 08:40 AM
If 2.2.2.2 is the primary address, then you don't need to define it in the backup list.
Also you'd probably want to use an FQDN otherwise you might get certificate errors, unless you've defined the ip address in the certificate.
11-11-2020 08:42 AM
I am a bit confused with your last response.
If my FQDN is sslvpn.p1.com, which is what you suggest me to add, fine but where am I actually adding Primary and Secondary IP addresses?
11-11-2020 08:48 AM
For example, sslvpn.p1.com would resolve to 2.2.2.2 then you'd have another FQDN sslvpnbackup.p1.com which would resolve to 1.1.1.1. You'd define sslvpn1.p1.com as the Primary Server and sslvpnbackup.p1.com under the Backup servers. E.g
11-11-2020 09:25 AM
Thank you, Rob! On a quick note, what is the option of "backup servers" in profile editor?
11-11-2020 09:31 AM
The "Backup Servers" are global for all connections. The backup server list is specific for that connection profile as defined in the Server List (the screenshot above). The servers defined in the Server List take precedence over servers defined in the Backup Servers.
11-11-2020 09:34 AM
Appreciate all your responses, thanks a lot, Rob.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide