09-22-2020 10:51 PM
Hello Experts,
I have Cisco 5516 ASA (Software Version 9.8(4)8) and we are undergoing requirement to build 2 IPSec vpn tunnels with same source and destination encryption domain but having different peer IPs. And we are requested to keep both tunnel UP since my side will be originator only but the remote side are doing dynamic routing so the return traffic can come on either of the tunnels.
My question is
Can I keep both tunnels UP at my side ASA at the same time and is there any way to prioritize the traffic to go out on any one tunnel but can receive the return traffic on either of the tunnels? Thinking to do TCP state bypass for return traffic since it is going to be asymmetric but how my side ASA will be able to make the decision on routing the traffic having two tunnels with same interesting traffic and when my side is going to be originator of the traffic?
Thanks in advance!
Solved! Go to Solution.
10-12-2020 11:41 PM
Hi @Breejesh
Well, if you don't have real traffic keeping the tunnel up, you have a couple of options. Use IP SLA from the ASA to send an icmp probe every once in a while or use your Network Management Solution to send a probe (icmp/snmp).
It doesn't need to be a continuous ping.
09-23-2020 01:13 AM
Hi @Breejesh
Configure a Route Based VPN using 2 x VTI, a VTI is always up. This will rely on the routing protocol to send traffic over the VPN tunnel. Ideally on the ASA you'd use the same tunnel to send and receive, the other tunnel will be a backup.
HTH
10-12-2020 10:48 PM
Hello Rob,
I have setup Active and backup IPSec tunnel to achieve the goal. In this case we do not require to enable TCP State Bypass and the other site was able to send/receive traffic on the active tunnel though they are using dynamic protocol to route the traffic.
Now, I am looking for a solution to keep the IPSec vpn tunnel up without having real real traffic travel.
I have one option to setup continuous ping but looking for alternate solution.
10-12-2020 11:41 PM
Hi @Breejesh
Well, if you don't have real traffic keeping the tunnel up, you have a couple of options. Use IP SLA from the ASA to send an icmp probe every once in a while or use your Network Management Solution to send a probe (icmp/snmp).
It doesn't need to be a continuous ping.
10-15-2020 01:16 AM
07-17-2024 12:17 PM
Hi, I am trying to implement the same, can you please elaborate more on how you were able to resolve this issue and keep your tunnel up?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide