Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
935
Views
0
Helpful
4
Replies

Site to site failover VPN connection and routing issues

Marc Bouchard
Level 1
Level 1

‎04-05-2013 01:43 PM

I need some help... Here's the situation:

We have 3 sites, with a Cisco ASA 5520 at each location.

HQ (Headquarters)              internal network: 172.16.110.0/24,

DR (Disaster Recovery)       internal network: 172.16.120.0/24

BO (Branch Office)               internal network: 172.16.150.0/24

HQ and DR have a 100Mbps permanent MPLS link between each other.

Branch Office has a Site 2 Site VPN connection to HQ. If it fails, it establishes a Site 2 Site VPN connection to DR.

Screen Shot 2013-04-09 at 9.55.58 AM.jpg

This works perfectly.

Now the routing issue... There is no route to the BO in the routing table at HQ/DR. The default gateway is used to reach the BO and that works for HQ when the VPN is between HQ/BO. If the VPN fails over to DR/BO, HQ can't reach BO anymore.

I need to have some kind of conditional route injection from the ASA where the VPN is established. I was considering a tracked static route, but I was wondering if the S2S VPN itself has a functionality to do so. I thought the Reverse Route Injection was it but it's enabled on our crypto map and doesn't seem to work...

Any input would be appreciated!

Thanks,

Marc

Labels:
0 Helpful
4 Replies 4

Marc Bouchard
Level 1
Level 1

‎04-11-2013 03:57 PM

Well, after talking to Cisco TAC, we ended up doing a tracked static route as I had thought. We're simply tracking the BO's internal ASA interface and if it's reachable, the route is advertised internally.

0 Helpful

Abe Marji
Level 1
Level 1
In response to Marc Bouchard

‎04-11-2013 10:19 PM

tracked static route in the DR site i assume?

Sent from Cisco Technical Support iPad App

0 Helpful

Marc Bouchard
Level 1
Level 1
In response to Abe Marji

‎04-12-2013 05:55 AM

Both sites actually. The static route must be injected no matter what, otherwise one of the sites (DR or HQ) will not be able to reach the branch office i.e. if the VPN is established with HQ, the DR site has no idea where the 172.16.150.* network is, so it tries to reach it through it's default gateway and leads nowhere. Same for the opposite (VPN to DR, HQ has no idea how to reach BO).

Now having the tracked static routes in place, whichever side has the VPN connection injects the route ensuring all traffic to BO is routed properly.

0 Helpful

rizwanr74
Level 7
Level 7

‎04-12-2013 02:44 PM

Hi Marc,

Please read down this thread, using an ASA doing a failover.

https://supportforums.cisco.com/message/3649158#3649158

After reading, if you have a question, please ask.

thakns

0 Helpful
Customers Also Viewed These Support Documents