cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

VPN failover between ASA's

dwaynepeeters
Beginner
Beginner

I am doing a research looking for the best solution for a failover between two ASA and was hoping someone would like to point me in the right direction.

The situation is as follows, we have got:

- 2 Headquarters:

Each is equiped with an ASA 5505

- 10 Branchoffices

Each is equiped with an 887 integrated services router.

Each branchoffice needs to have a redundant VPN connection to both headquarters, and they all need to use the first one as the primary and the other one as the secundary. In case of a failure, all branchoffices need to use the second VPN connection going to the second headquarter.

In my research I am looking for the best possible solution, with the quickest failover, but have no idea where to start my research.

I am hoping someone has a good answer for this one.

Thank you very much in advance,

Kind regards

Dwayne

24 REPLIES 24

No I don't have connectivity right now, but I can ping succesfully from the HQ to the ISP, and then from the ISP to the Branch. But I don't know how to configure the default route right, because when I configure:

ip route 0.0.0.0 0.0.0.0 fa1/0 I get the following output:

It receives a Hello, but the relationships isn't forming. I don't have a clue what this means or what to do now.

It shows me:

HQ2#

*Oct  1 16:36:03.347: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.1.3 (Tunnel1) is up: new adjacency

HQ2#

*Oct  1 16:37:13.159: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.1.3 (Tunnel1) is down: Interface PEER-                                                                   TERMINATION received

HQ2#

*Oct  1 16:37:14.763: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.1.3 (Tunnel1) is up: new adjacency

HQ2#

*Oct  1 16:37:35.195: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.1.3 (Tunnel1) is down: stuck in INIT s                                                                   tate

It says: stuck in INIT. Could this be because I don't have the bandwith configure properly?

mkdccie
Beginner
Beginner

can you send me full config for each router?

Again, thank you all very much for your effort.

Mohammed I will send you the configs tomorrow morning (i'm from Holland and it's 5pm overhere).

I have my computer at the office and am currently on my way home.

HQ1 Config:                                                                  

HQ1#show run

Building configuration...

Current configuration : 1534 bytes

!

! Last configuration change at 08:52:41 UTC Tue Oct 2 2012

!

upgrade fpd auto

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname HQ1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

!

!

ip source-route

ip cef

!

!

!

!

no ip domain lookup

ip domain name lab.local

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

redundancy

!

!

!

!

!

!

!

!

!

!

interface Tunnel1

ip address 192.168.1.1 255.255.255.0

no ip redirects

ip nhrp authentication CISCO

ip nhrp map multicast dynamic

ip nhrp map 192.168.1.1 1.1.1.1

ip nhrp map multicast 1.1.1.1

ip nhrp network-id 1

ip nhrp nhs 192.168.1.1

no ip split-horizon eigrp 1

tunnel source FastEthernet1/0

tunnel mode gre multipoint

tunnel key 1

!

!

interface FastEthernet0/0

no ip address

shutdown

duplex half

!

!

interface FastEthernet1/0

ip address 1.1.1.1 255.255.255.0

duplex auto

speed auto

!

!

interface FastEthernet1/1

no ip address

shutdown

duplex auto

speed auto

!

!

!

router eigrp 1

network 1.1.1.1 0.0.0.0

network 192.168.1.0

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip route 0.0.0.0 0.0.0.0 FastEthernet1/0

!

!

!

!

!

!

!

control-plane

!

!

!

mgcp fax t38 ecm

mgcp behavior g729-variants static-pt

!

!

!

gatekeeper

shutdown

!

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line vty 0 4

login

!

end

ISP Config:                                                                  

ISP#show run

Building configuration...

Current configuration : 1265 bytes

!

! Last configuration change at 08:58:35 UTC Tue Oct 2 2012

!

upgrade fpd auto

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ISP

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

!

!

ip source-route

ip cef

!

!

!

!

no ip domain lookup

ip domain name lab.local

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

redundancy

!

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

shutdown

duplex half

!

!

interface FastEthernet1/0

ip address 3.3.3.4 255.255.255.0

duplex auto

speed auto

!

!

interface FastEthernet1/1

ip address 1.1.1.2 255.255.255.0

duplex auto

speed auto

!

!

interface FastEthernet2/0

ip address 2.2.2.3 255.255.255.0

duplex auto

speed auto

!

!

interface FastEthernet2/1

ip address 4.4.4.5 255.255.255.0

duplex auto

speed auto

!

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

!

!

!

!

!

!

!

control-plane

!

!

!

mgcp fax t38 ecm

mgcp behavior g729-variants static-pt

!

!

!

gatekeeper

shutdown

!

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line vty 0 4

login

!

end

BR1 Config:                                                                  

BR1#show run

Building configuration...

Current configuration : 1592 bytes

!

! Last configuration change at 08:56:29 UTC Tue Oct 2 2012

!

upgrade fpd auto

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname BR1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

!

!

ip source-route

ip cef

!

!

!

!

no ip domain lookup

ip domain name lab.local

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

redundancy

!

!

!

!

!

!

!

!

!

!

interface Tunnel1

ip address 192.168.1.3 255.255.255.0

no ip redirects

ip nhrp authentication CISCO

ip nhrp map multicast 1.1.1.1

ip nhrp map 192.168.1.1 1.1.1.1

ip nhrp map multicast 2.2.2.2

ip nhrp map 192.168.1.2 2.2.2.2

ip nhrp network-id 1

ip nhrp nhs 192.168.1.1

ip nhrp nhs 192.168.1.2

no ip split-horizon eigrp 1

tunnel source FastEthernet1/0

tunnel mode gre multipoint

tunnel key 1

!

!

interface FastEthernet0/0

no ip address

shutdown

duplex half

!

!

interface FastEthernet1/0

ip address 3.3.3.3 255.255.255.0

duplex auto

speed auto

!

!

interface FastEthernet1/1

no ip address

shutdown

duplex auto

speed auto

!

!

!

router eigrp 1

network 3.3.3.3 0.0.0.0

network 192.168.1.0

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip route 0.0.0.0 0.0.0.0 FastEthernet1/0

!

!

!

!

!

!

!

control-plane

!

!

!

mgcp fax t38 ecm

mgcp behavior g729-variants static-pt

!

!

!

gatekeeper

shutdown

!

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line vty 0 4

login

!

end


HQ2 Config:

HQ2#show run

Building configuration...

Current configuration : 1404 bytes

!

! Last configuration change at 09:14:10 UTC Tue Oct 2 2012

!

upgrade fpd auto

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname HQ2

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

!

!

ip source-route

ip cef

!

!

!

!

no ip domain lookup

ip domain name lab.local

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

redundancy

!

!

!

!

!

!

!

!

!

!

interface Tunnel1

ip address 192.168.1.2 255.255.255.0

no ip redirects

ip nhrp authentication CISCO

ip nhrp map multicast dynamic

ip nhrp network-id 1

no ip split-horizon eigrp 1

tunnel source FastEthernet1/0

tunnel mode gre multipoint

tunnel key 1

!

!

interface FastEthernet0/0

no ip address

shutdown

duplex half

!

!

interface FastEthernet1/0

ip address 2.2.2.2 255.255.255.0

duplex auto

speed auto

!

!

interface FastEthernet1/1

no ip address

shutdown

duplex auto

speed auto

!

!

!

router eigrp 1

network 2.2.2.2 0.0.0.0

network 192.168.1.0

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

!

!

!

!

!

!

!

control-plane

!

!

!

mgcp fax t38 ecm

mgcp behavior g729-variants static-pt

!

!

!

gatekeeper

shutdown

!

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

stopbits 1

line vty 0 4

login

!

end


using EIGRP, when you configure the router to advertise the networks that are directly connected to it using "network x.x.x.x" command, you need to specify the supernet of a group of subnets, not the ip address of the interface. if you do it that way, it will not advertise any networks.

try below on its respective router and see if the error still occurs or not:

router eigrp 1

network 1.1.1.0

router eigrp 1

network 2.2.2.0

router eigrp 1

network 3.3.3.0

on the ISP, add:

router eigrp 1

network 1.1.1.0

network 2.2.2.0

network 3.3.3.0

network 4.4.4.0

Hi Rudy,

This does work indeed, but I do have one concern:

In reality, wil an ISP router ever run EIGRP and form a neighbour-relationship with your company router?

Also, I have configured it like you said, and it works. But now I am missing 1 out of 10 pings?

Could this be because I have not configured the bandwith command in EIGRP ?

In fact, now I am not using the tunnel interface to route the traffic from the BR1 to HQ1, but it's using the physical interface.

What I would suggest to you is to get rid of the ISP router on your diagram, because in reality you will not have to configure or have anything to do with the ISP except getting the IP addresses from them, try to picture that your physical interfaces will be your interfaces facing the internet. here is a video about designing simple DMVPN from Keith. Play around with this then try to go deeper from there.

DMVPN

There are maybe some ISPs that use EIGRP as their IGP, but for connecting to company router they use eBGP. Here is a thread regarding your question that is well explained by other people, hope this can help you understand the concept.

https://learningnetwork.cisco.com/thread/25056

Missing 1 out of xx is a normal thing to happens when you try to establish a connection between two router for the first time, because it got eaten by the ARP request. If you ping again, you should get a full 10 pings, that's because now it has the ARP entry on its cache.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: