cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6001
Views
0
Helpful
8
Replies

Site to Site VPN Redundancy using ASA's

etamminga
Spotlight
Spotlight

What is the best whay to setup a redundant site to site VPN.

We currently have 2 ASA5510's (8.2) at the HQ and several ASA5505's at remote sites. We would like to have the remote ASA's automatically switch over to the second ASA at the HQ when the primary path fails.

Dual peer adresses on the remote sites with reverse route injection at the HQ and a routing protocol at HQ doesn't work because the already RR exists when we setup the VPN, when it's not even connected.

Please advise....

Regards,

Erik

8 Replies 8

andrew.prince
Level 10
Level 10

just add the secondary external IP address to the current remote site crypto maps.

When the first IP is not available (primary) they will try the secondary e.g

crypto map <> <> set peer y.y.y.y z.z.z.z

y.y.y.y = Primary ASA

z.z.z.z = Secondary ASA

HTH>

Thanks for the reply, but the remote site is not the problem! It's the HQ.

Because reverse route injection always injects a route (dispite the lack of a valid SA) the core routers do not know where to send the traffic!

Does anybody know how to setup the routing at HQ. Bear in mind that reverse route injection doesn't do what I'd expect it to do.

Regards,

Erik

OK - reverse route injection only populates a routing table with an entry with a valid IPSEC tunnel....supposedly.

I have seen and continue to see ASA ver 8.0 - 8.x vers of IOS reverse route injection does not perform 100%, and advise against it's use. Great function not 100% bug free yet.

The best way to over come this issue - is run a dynamic routing protocol, in a GRE tunnel over a IPSEC VPN.

or you just enable the ASA to be in a failover pair, and have the core routers point to the active IP address of the inside of the ASA's.

RRI does seem to work as expected on dynamic tunnels (EzVPN) but fails on site-to-site.

Using GRE tunnels rules out the ASA's and requires routers (IOS).

Using failover ASA's will not work because we're using two different ISP's on both ASA's, so ... bye bye ASA's.

Regards,

Erik

Not entirely game over just yet - you could use IP SLA on the ASA's that could check the remote end via an ICMP check. If it fails, the ASA removed the route from it's local table and stops redistributing it - then the other ASA will have a valid route and will populate that back into the core.

The below is an indication of what you can try.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Hi,

Could anyone provide a configuration reference about EZVPN (using ASAs in remote side and 2 redudant ASAs Servers in 2 different DataCenters) ? Is a possible network design ?

Regards

Peter Koltl
Level 7
Level 7

There had been no plausible solution until VTI functionality was added to ASA in 9.8

Thanks, Peter

 

So it is not possible to have EZVPN from 1 remote site using ASA5505s to access to 2 different HeadQuarter sites (using ACTIVE-BACKUP remote access & RRI only ) ? He have spoken this with Cisco representative, and he says we can do it...

Regards