Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19499
Views
0
Helpful
18
Replies

Site-2-Site redundant VPN Tunnel from remote office to Head Office on two different ASA's 5510

Go to solution
mehmoodch
Level 1
Level 1

‎05-24-2012 05:47 AM

I have firewall ASA 5510 in EDN-UK1 main office (internet connection with Virgin) and having 7 remote firewalls in other countries.

EDN_UK1 firewall has VPN connection with each of 7 Remote firewalls. 

Now we are going to install one more EDN-UK2 firewall in main office (internet connection with BT) to use as standby for all remote 7 offices VPNs. In case EDN-Uk1 fails the EDN-UK2 start serving the remote VPNs without interruption.

I have studied Active/standby failover and GRE over IPsec tunnel with OSP but I can’t find what would be the correct configurations to implement this task.

Labels:
0 Helpful
18 Replies 18

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to bule

‎03-01-2020 04:07 AM

Hi,

 

    You just configure both IPsec tunnels, as for reconvergence:

              - configure ISKAMP keepalives to detect ISP failure without the link actually going down; otherwise you'll end up black holing traffic

              - your routing needs to failover as well (when the link does not go down); if you use static routing, use tracking

 

Remember that routing needs to converge first, as from an order of operation point of fire, routing happens first (so de egress interface is selected) and encryption afterwards, based on the egress interface crypto configuration.

 

Regards,

Cristian Matei.

              

0 Helpful

Go to solution
bule
Level 1
Level 1
In response to Cristian Matei

‎03-01-2020 04:24 AM

Hi Cristian,

 

Thanks for reply.

 

Sure but do you have any sample config which you can share across? Would appreciate your kind help.

 

Thanks 

 

 

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to bule

‎03-01-2020 05:53 AM

Hi,

 

   The only thing missing from the following link is the ISAKMP keep alive configuration (and failover if you have redundant ASA's):

http://www.techspacekh.com/configuring-fail-over-ipsec-site-to-site-vpn-with-dual-wan-links-and-ip-sla-on-cisco-asa-firewall-9-x/

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
bule
Level 1
Level 1
In response to Cristian Matei

‎03-01-2020 10:39 PM

Hi Cristian,

 

Thanks for pointing me towards the right direction. I already had a look through to your shared link too.

In my case, I would have 2 x ASAs (Active/Failover) on each site i.e. total 4 x ASAs with independent WAN links having redundant IPSEC VPN tunnels connected to same LAN on either site same as attached HA network design shared by Carlos earlier as:

 

 

Let me give a go with your shared link and would let you know how that goes.

 

Thanks

 

 

 

 

 

Preview file
41 KB
0 Helpful
Customers Also Viewed These Support Documents