cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
735
Views
0
Helpful
6
Replies

redundant router at Gre hub site

paulnigel
Level 1
Level 1

Hi forum,

i have a hub & spoke gre over ipsec setup. is it possible to add another router at the hub site for redundancy purpose?

the router is connected to the ASA firewall, is it possible to have one connection from each router to link to two asa firewall interfaces?

Could you advise on the design?

Thank you very much,

paul

6 Replies 6

attrgautam
Level 5
Level 5

I would connect the routers and ASA on the same LAN with ASA probably in failover mode for HA and run a routing protocol over the GRE tunnels.

HSRP on the LAN with the ASA default pointing to the HSRP VIP of the primary router so that it falls back to the secondary router in an outage.

Hi attrqautam,

I am actually running eigrp on the tunnel.

when you are saying configuring the ASA in failover mode, are you saying it can failover based on links if either of the hsrp links fail? I am attaching a diagram, I hope I am getting you right.

on the LAN side, I will have to create 2 tunnels, and create a virtual tunnel inteface too?

to be frank, I am getting blurred.

Thanks much,

paul

To be honest, iam confused with your diagram as well :-). Just to get it clarified, are both IPSec and GRE terminating on the routers and the routers are connected on the outside of the ASA ?

or

IpSec terminates on the ASA and the GRE extends to the router placed on the inside of the ASA over which you do EIGRP. Which one of these explains your setup ?

the second one, ipsec terminates on ASA, GRE extends to the router on the ASA's inside interface.

the ipsec is running sort of fully-mesh. the GRE is hub & spoke. i cannot find the command on ASA that support hsrp or may be i don't know.

Thanks,

Yes then the best thing would be to forget HSRP just build another GRE tunnel to the 2nd router run EIGRP over the 2nd tunnel and let EIGRP take care of the fallback. You would have to permit GRE traffic from Spoke to the 2nd router in the crypto ACL.ASA failover would only track failure of interfaces connecting to the ASA

Let me know if it helps.

Hi attrqautam,

Can I point to the same tunnel destination, or must i create a completely different tunnel to all the sites again from the hub site?

i tried that on my 3650XL switch,

interface Tunnel0

description GRE Second Tunnel Interface

bandwidth 64

ip address 192.168.5.17 255.255.255.252

tunnel source Vlan20

tunnel destination 192.168.5.41

this switch participate in eigrp too.

i get the below, 3500 switch doesn't support gre tunnel?

Nov 9 08:22:48: %PLATFORM_HCEF-3-ADJ: Insane handle in update LT7

-Traceback= 9CBB3C 3198C0 30FB10 AAC38 7FD308 7FE108 129950 1299C4 8013C0 108437

C 801584 801A34 797CE8 791F2C

Nov 9 08:22:49: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, change

d state to up