Solved: S-S VPN between ASA and ASR1001

Mike Anderson · ‎08-17-2014

Hello

we have 2 ASR routers at HQ connected to ISP and there are new remote sites that needs to be connected to HQ via site to site VPN. Each remote branch will have ASA, The outside IPs of both ASRs are in same subnet.

1. Is it possible to acheive redudancy in HQ side in this design ?

2. Can i create L2L tunnels to both ASRs ? If yes how can i make 1 tunnel active and other secondary ?

|ASR1

Users--------L3SW--------ASA---------------ISP----------CPE---------------|

|ASR2

Any suggestions are welcome

Thanks

Karsten Iwen · ‎08-18-2014

There are two ways:

Stateful Failover for IPsec
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-vpn-availability-15-mt-book/sec-state-fail-ipsec.html
http://packetlife.net/blog/2009/aug/17/fun-ipsec-stateful-failover/
VPN-config with two peers an the ASA.
Here you have two individual gateways on the HQ and the ASA has two tunnel-groups fr both gateways but only one sequence in the crypto-map. The peer-statement has both HQ-IPs configured.

View solution in original post

Karsten Iwen · ‎08-18-2014

There are two ways:

Stateful Failover for IPsec
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-vpn-availability-15-mt-book/sec-state-fail-ipsec.html
http://packetlife.net/blog/2009/aug/17/fun-ipsec-stateful-failover/
VPN-config with two peers an the ASA.
Here you have two individual gateways on the HQ and the ASA has two tunnel-groups fr both gateways but only one sequence in the crypto-map. The peer-statement has both HQ-IPs configured.