Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
960
Views
0
Helpful
5
Replies

VPN failover between ASA and 2 Cisco Routers

Go to solution
vvujicevic
Level 1
Level 1

‎01-25-2017 03:15 AM

Hello,

I have an ASA 5520 in my central site serving as a VPN termination point, and in the remote office 2 Cisco 1941 routers and each one has a static public ip form a different provider. There is an HSRP in place on the LAN side of the remote office for redundant internet access.

Im trying to build a setup where i would have redundant VPN tunnel between ASA and the remote office for access to a web server on the central site.

I have found guides for creating redundant VPN with ASA and 2 providers, and also with Routers only, but not with a combination like in my case.

Any suggestion would be welcome. Thank you in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎01-25-2017 12:46 PM

You can quite simply set this up by adding another peer IP to the existing tunnel and configure a tunnel group for it with the exact same settings as the first tunnel.  Then once the first configured IP goes down it will try the second configured IP.

crypto map mymap 5 set peer 1.1.1.1 2.2.2.2

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

  ikev1 pre-shared-key MYKEY

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

  ikev1 pre-shared-key MYKEY

You can also have a look at this link.  It is not exactly what you are trying to do but here there are two routers infront of one of the ASAs and SLA is being used to track default routes.  but the idea is the same.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marius Gunnerud
VIP
VIP

‎01-25-2017 12:46 PM

You can quite simply set this up by adding another peer IP to the existing tunnel and configure a tunnel group for it with the exact same settings as the first tunnel.  Then once the first configured IP goes down it will try the second configured IP.

crypto map mymap 5 set peer 1.1.1.1 2.2.2.2

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

  ikev1 pre-shared-key MYKEY

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

  ikev1 pre-shared-key MYKEY

You can also have a look at this link.  It is not exactly what you are trying to do but here there are two routers infront of one of the ASAs and SLA is being used to track default routes.  but the idea is the same.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Marius Gunnerud

‎01-26-2017 08:01 AM

The more that I think about this situation the tricker it gets. On the surface it is a fairly simple solution. As suggested in the other response each router at the remote site gets a site to site VPN configuration peering with the ASA. And the ASA gets a second peer address in the crypto map set peer command and a second tunnel group. That will allow the ASA to have an active peer session to one router and if that sessions fails to have an active session to the other router.

What makes it tricky is that the failover of the VPN depends on the state of the VPN session. But at the remote site it is quite possible that there could be an HSRP event causing the LAN to send traffic destined for the server to the second router while the first router is still the active peer. So what is needed is a way to assure that traffic from the remote LAN is sent to the router with the active VPN. Perhaps something like reverse route injection from the VPN might take care of that?

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Richard Burts

‎01-26-2017 11:59 AM

RRI would work if upstream devices are running routing protocols. I don't think it would affect L2 traffic?  

I suppose to mitigate this on the routers as much as possible, if the network is L2, you could track the outside interface on the router and reference that in the HSRP.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
vvujicevic
Level 1
Level 1
In response to Marius Gunnerud

‎01-26-2017 11:03 PM

Ok, you guys pretty much summed up my thoughts on this:)

I was planning to add a second peer on ASA, but im worried about "lingering" sessions that may prevent the failover to happen in a timely matter. First question that pops up is whether to disable keepalives?

My current HSRP setup tracks the outside interface by pinging a google server, so i think that LAN sending traffic to dead connection is not going to be an issue.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to vvujicevic

‎01-26-2017 11:49 PM

Disabling DPD (keepalives) would not be a good idea in my opinion.  You would then, theoretically, have two VPNs that are trying to forward the same traffic.  You need DPD in place so the ASA knows when to forward traffic to the other peer.  There will ofcourse be a short drop in traffic while the second tunnel establishes, but I do not think there is a way around it.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents