cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2571
Views
5
Helpful
5
Replies

Two IPsec VPN tunnels having same interesting traffic but different peer IPs

Breejesh
Level 1
Level 1

Hello Experts,

 

I have Cisco 5516 ASA (Software Version 9.8(4)8)  and we are undergoing requirement to build 2 IPSec vpn tunnels with same source and destination encryption domain but having different peer IPs. And we are requested to keep both tunnel UP since my side will be originator only but the remote side are doing dynamic routing so the return traffic can come on either of the tunnels. 

My question is 

Can I keep both tunnels UP at my side ASA at the same time and is there any way to prioritize the traffic to go out on any one tunnel but can receive the return traffic on either of the tunnels? Thinking to do TCP state bypass for return traffic since it is going to be asymmetric but how my side ASA will be able to make the decision on routing the traffic having two tunnels with same interesting traffic and when my side is going to be originator of the traffic?

 

Thanks in advance!

1 Accepted Solution

Accepted Solutions

Hi @Breejesh 

Well, if you don't have real traffic keeping the tunnel up, you have a couple of options. Use IP SLA from the ASA to send an icmp probe every once in a while or use your Network Management Solution to send a probe (icmp/snmp).

 

It doesn't need to be a continuous ping.

View solution in original post

5 Replies 5

Hi @Breejesh 

Configure a Route Based VPN using 2 x VTI, a VTI is always up. This will rely on the routing protocol to send traffic over the VPN tunnel. Ideally on the ASA you'd use the same tunnel to send and receive, the other tunnel will be a backup.


HTH

 

 

Hello Rob,

I have setup Active and backup IPSec tunnel to achieve the goal. In this case we do not require to enable TCP State Bypass and the other site was able to send/receive traffic on the active tunnel though they are using dynamic protocol to route the traffic.

Now, I am looking for a solution to keep the IPSec vpn tunnel up without having real real traffic travel.

I have one option to setup continuous ping but looking for alternate solution.

Hi @Breejesh 

Well, if you don't have real traffic keeping the tunnel up, you have a couple of options. Use IP SLA from the ASA to send an icmp probe every once in a while or use your Network Management Solution to send a probe (icmp/snmp).

 

It doesn't need to be a continuous ping.

Hello @Rob Ingram ,

 

IP SLA worked as expected for me. Thank you very much.

Hi, I am trying to implement the same, can you please elaborate more on how you were able to resolve this issue and keep your tunnel up?