Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1770
Views
13
Helpful
6
Replies

Remote site redundancy IPSEC VPN between 2911 and ASA

mitchen
Level 2
Level 2

‎11-12-2012 09:31 AM - edited ‎02-21-2020 06:28 PM

We already have IPSEC VPN connectivity established between sites but would like to introduce some resilience/redundancy at a remote site.

Site A has an ASA with one internet circuit.

Site B has a Cisco 2911 with one internet circuit and we have established site-to-site IPSEC VPN connectivity between the 2911 and the ASA.

Prior to getting the new internet circuit, Site B had a Cisco 877 with an ADSL line which are still available but aren’t currently in use.

The internet circuit at Site B has dropped a few times recently so we would like to make use of the ADSL circuit (and potentially the 877 router too) as a backup.

What is the best way of achieving this?

We thought about running HSRP between the 877 and 2911 routers at Site B and, in the event of a failure of the router or internet circuit, traffic would failover to the 877 and ADSL.

However, how would Site A detect the failure? Can we simply rely on Dead Peer Detection and list the public IP address of the internet circuit at Site B first with the public IP address used on the ADSL line second in the list on the ASA? What would happen in a failover scenario and, just as important, when service was restored – I’m not sure DPD would handle that aspect correctly?

I’ve read briefly elsewhere that GRE might be best to use in this scenario – but I can’t use GRE on the ASA. I have an L3 switch behind the ASA which I may be able to make use of? But I don’t want to disrupt the existing IPSEC VPN connectivity already established between the ASA and the 2911.   Can I keep IPSEC between the ASA and 2911 but then run GRE between the L3 switch and the 2911? If so, how would this best be achieved?  And how could I also introduce the 877 and ADSL line into things to achieve the neccessary redundancy?

Any help/advice would be appreciated!

Labels:
0 Helpful
6 Replies 6

pkupisie
Cisco Employee
Cisco Employee

‎11-12-2012 10:13 AM

Hello,

I don't think GRE tunnel that you could set up on the switch  behind ASA would be really helpfull. Still site-2-site tunnel you want  to establish between ASA and some routers, but still it is ASA which needs to make decision about which peer to connect to.

Possible solution would be to do HSRP between both routers on LAN side and with two independent tunnels/crypto maps (one on each of them). On ASA you would need to set up two hosts in set peer. Problem of this solution is that if one router at side B is going to go down and second ADSL line will take over ASA will not do preempt after you main Internet connection is up again. This would happen after ADSL Internet connection will be down.

Solution to that would be to assign two different public IP addressess on two different interfaces of ASA. Then you attach two crypto maps to both interfaces and by using sla monitor (let's say icmp to main router, if it does not respond then you change routing for remote LAN to second interface) you are selecting which crypto map (with one peer this time) should be used.

I hope what I wrote makes some sense.

mitchen
Level 2
Level 2
In response to pkupisie

‎11-13-2012 02:12 AM

I think I understand what you're saying - however, I think it might be difficult in our set-up.  For one thing, I don't think we have a spare interface on the ASA (we have outside, DMZ, failover and inside so the 4 available ports are already in use!)  But, even if we did have a spare interface - would your solution not mean that we would need to have 2 internet connections from this one ASA (or at the very least 2 connections to the one provider NTE)?   We only have the 1 connection unfortunately.

Maybe it will be the case that I can't completely automate this and will need to manually intervene (i.e. when main internet connection is restored at Site B, I could clear down the tunnel and allow it to re-establish connectivity with the primary peer again?)

0 Helpful

pkupisie
Cisco Employee
Cisco Employee
In response to mitchen

‎11-13-2012 06:13 AM

You basically wouldn't need to have two Internet connections, but two external IP addressess in two different subnets. I know that this is really not easy to achieve, but I don't think there is other option.

Of course manual option would work, at least your network would be always up. In this case you shouldn't have preempt on HSRP (not to have situation in which on ADSL line you have tunnel up, but active HSRP router is the second one).

You could try to use EEM (embeded event manager) to try to capture HSRP events and just shut down ADSL interface when the main link is up (HSRP active is the main router).

If any of these advices were helpfull for you feel free to rate that posts.

Thanks,

0 Helpful

mitchen
Level 2
Level 2
In response to pkupisie

‎11-13-2012 06:35 AM

Hi Piotr - thanks for the further advice.   Interesting idea on EEM, that's something I hadn't thought of.   Do you have any sample configs of how I might acheive what I want with EEM - its not something I'm overly familar with I have to admit!

0 Helpful

pkupisie
Cisco Employee
Cisco Employee
In response to mitchen

‎11-13-2012 06:44 AM

I am also not an expert in EEM, but I think google and some labs will help.

There was similar issue, but don't know if it will work:

https://supportforums.cisco.com/thread/2163577

mitchen
Level 2
Level 2
In response to pkupisie

‎11-13-2012 06:49 AM

Thanks for the guidance - I'll take a look at the link you sent and do some more research and hopefully come up with something that works!

0 Helpful
Customers Also Viewed These Support Documents