Solved: Re: Two VPN tunnels, same ASA, different end points, same Enc Domain?

jamesholley · ‎10-05-2023

Hi all

I am experienced with Cisco ASA and VPN, but have come across a design that I have not configured before.

We have a pair of ASAv firewalls in an Azure environment and need to build two redundant tunnels to non-Cisco VPN peers.

Thus we will have two peers, the same encryption domain, and the traffic will leave the same outside interface.

I have configured it to share the same crypto map, so is it as simple as the ASAv will simply try the second tunnel if the first one stops responding to DPD's, or do I need to set up some kind of IP SLA to swing from one VPN tunnel to the other.

Thanks in advance!

James

mkazam001 · ‎10-05-2023

That's correct, if the first peer fails the IPSec tunnel will be established to the second peer automatically.

This worked on IKEv1 but only from Version 9.14 on IKEv2, so as long as you have this or higher.

regards

kazam

View solution in original post

MHM Cisco World · ‎10-05-2023

Set peer x.x.x.x y.y.y.y

Here if ASAv can not connect to x.x.x.x it will connect to y.y.y.y

View solution in original post

mkazam001 · ‎10-05-2023

Hi James,

If its a policy-based VPN, you can configure x2 tunnel-groups, 1 for each peer & set multiple peers within the same crypto map.

If its a route-based VPN, redundancy can be configured using BGP.

regards

kazam

jamesholley · ‎10-05-2023

Thanks Kazam, yes it is a policy based VPN. And the failover from one to the other if peer connectivity fails is automatic?

mkazam001 · ‎10-05-2023

That's correct, if the first peer fails the IPSec tunnel will be established to the second peer automatically.

This worked on IKEv1 but only from Version 9.14 on IKEv2, so as long as you have this or higher.

regards

kazam

MHM Cisco World · ‎10-05-2023

Set peer x.x.x.x y.y.y.y

Here if ASAv can not connect to x.x.x.x it will connect to y.y.y.y

jamesholley · ‎10-05-2023

Thanks, of course, that works a treat!