Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
986
Views
0
Helpful
1
Replies

Redundant Site to Site VPN Peers?

Sean_Kirk
Level 1
Level 1

‎08-30-2011 07:27 AM

Currently we have an ASA5510 in our main hub site (HUB1), and about 60 remote sites w/ Site to Site VPN setup. We are adding another hub site (HUB2)with another Internet connection and another ASA5510. The two sites will be connected via a multimeg Point-to-Point connection.

The question is, is it possible to setup the remote site-to-site VPN devices (Cisco 800 routers) to choose which peer to connect establish their VPN tunnel with, based off of connection state. ie.. if HUB1 is available connect to it first (the primary peer), but if it isn't connect to HUB2.

Additionally, would the ASA's be able to share with each other, which remote site is connected to which ASA

Labels:
0 Helpful
1 Reply 1

raga.fusionet
Level 4
Level 4

‎08-30-2011 09:20 AM

Hi Sean,

The answer to question 1 is yes, you can set up back up peers by specifiying it on the crypto map of the remote routers. e.g:

crypto map labmap 10 ipsec-isakmp

set peer 10.0.0.1

set peer 11.0.0.1

set transform-set 3des-sha

match address 100

The router will try to connect first to 10.0.0.1 and if that fails it will try to connect to 11.0.0.1.

The answer to question 2 is no, unfortunately this type of information cannot be shared with other hosts. For security reasons the ASA will keep it to itself if they are configured as standalone units.

I hope that his answers your questions.

Have fun.

Raga

0 Helpful
Customers Also Viewed These Support Documents