Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5081
Views
0
Helpful
5
Replies

VPN, ASA to two different peers, same subnets on both VPN tunnels

wilson_1234_2
Level 3
Level 3

‎01-12-2017 11:27 AM

We have a Cisco ASA 5585 HA pair in context mode (Version 9.1(7)4 <context>) being used for VPN tunnels.

We have a customer who wants a primary (Their main site)and backup (their secondary site) VPN tunnel to peer with our ASA. Both tunnels will peer to us with the same IP Address, using the same crypto ACL (subnets the same on both ends for both tunnels). In the Cisco world this used to be a problem, and would cause conflicting SAs .Is this still a problem, or can I use Twice NAT and NAT the destination subnets on the secondary crypto map and have both tunnels up at the same time?

Labels:
0 Helpful
5 Replies 5

oloyede29
Level 1
Level 1

‎01-13-2017 06:47 AM

This should not be a problem as your default route (primary) will determine which peer ip address becomes active.

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni

‎01-13-2017 07:05 AM

Secondary crypto map wont help here as the crypto ACL is the same, it will always match the first crypto map entry. Also since the peer is the same ip address, the ASA wont even try to establish 2 tunnels as it already has an existing phase 1 to the peer. Twice NAT can help if your peer ip address was different.

I am trying to understand the purpose of using the same ip address on the peer side. If they were 2 separate peer ip addresses, you could use the backup peer option on a crypto map (set peer x.x.x.x y.y.y.y) to achieve failover to the other peer. Also, keeping both tunnels at the same time for then same traffic also does not make sense as it would only go through one tunnel at a time.

0 Helpful

wilson_1234_2
Level 3
Level 3
In response to Rahul Govindan

‎01-13-2017 08:00 AM

Perhaps it was not clear when I mentioned "same IP Address"

they have two sites, we have one:

My Site (3.3.3.3)<---> Their Site 1 (1.1.1.1)

My Site (3.3.3.3)<---> Their Site 2 (2.2.2.2)

So, you are saying that if we had the same destination subnets in both crypto ACLs, if the primary tunnel goes down, then traffic would not pass through the second tunnel?

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to wilson_1234_2

‎01-13-2017 08:12 AM

Makes more sense now. Yes, the ASA will not send traffic to second tunnel if the first one is down, if they are configured in 2 different crypto map entries and the source and destination networks in the crypto ACL are the same. The ASA matches crypto map sequentially and it is nto dependent whether tunnel is up or down, so it will always match first tunnel.

The better option is to use the backup peer and the same crypto map entry as I mentioned before. This way, the ASA tries to reach the primary peer 3 times and if it fails, it will establish a tunnel to the secondary IP.

0 Helpful

wilson_1234_2
Level 3
Level 3
In response to Rahul Govindan

‎01-13-2017 08:33 AM

I used to read about secondary peers having trouble with conflicting SAs.

Is this not a problem?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents