05-24-2012 05:47 AM
I have firewall ASA 5510 in EDN-UK1 main office (internet connection with Virgin) and having 7 remote firewalls in other countries.
EDN_UK1 firewall has VPN connection with each of 7 Remote firewalls.
Now we are going to install one more EDN-UK2 firewall in main office (internet connection with BT) to use as standby for all remote 7 offices VPNs. In case EDN-Uk1 fails the EDN-UK2 start serving the remote VPNs without interruption.
I have studied Active/standby failover and GRE over IPsec tunnel with OSP but I can’t find what would be the correct configurations to implement this task.
Solved! Go to Solution.
03-01-2020 04:07 AM
Hi,
You just configure both IPsec tunnels, as for reconvergence:
- configure ISKAMP keepalives to detect ISP failure without the link actually going down; otherwise you'll end up black holing traffic
- your routing needs to failover as well (when the link does not go down); if you use static routing, use tracking
Remember that routing needs to converge first, as from an order of operation point of fire, routing happens first (so de egress interface is selected) and encryption afterwards, based on the egress interface crypto configuration.
Regards,
Cristian Matei.
03-01-2020 04:24 AM
Hi Cristian,
Thanks for reply.
Sure but do you have any sample config which you can share across? Would appreciate your kind help.
Thanks
03-01-2020 05:53 AM
Hi,
The only thing missing from the following link is the ISAKMP keep alive configuration (and failover if you have redundant ASA's):
Regards,
Cristian Matei.
03-01-2020 10:39 PM
Hi Cristian,
Thanks for pointing me towards the right direction. I already had a look through to your shared link too.
In my case, I would have 2 x ASAs (Active/Failover) on each site i.e. total 4 x ASAs with independent WAN links having redundant IPSEC VPN tunnels connected to same LAN on either site same as attached HA network design shared by Carlos earlier as:
Let me give a go with your shared link and would let you know how that goes.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide