Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
358
Views
0
Helpful
3
Replies

VPN failover, can this be done

J_Vansen_S
Level 3
Level 3

‎05-04-2011 09:00 PM

Hi,

We have a customer requirement of providing

  1. secure connectivity from Remote Office to HQ
  2. Same time to provide certain level of layer 3 redundancy via secondary link should the primary link fail

We are looking at ASA5500 series firewall for both Remote office and HQ.

Can this be done?

If so, would appreciate if anyone can provide me with some pointers/read ups

Thank you

Regards: Jocelyn


Labels:
Preview file
69 KB
0 Helpful
3 Replies 3

andamani
Cisco Employee
Cisco Employee

‎05-05-2011 09:58 AM

Hi,

You seem to looking for a backup site to site Vpn tunnel.

Please check the following link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml#backup

Hope this helps.

Regards,

Anisha

P.S.:please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

network770
Level 1
Level 1
In response to andamani

‎05-05-2011 05:47 PM

I am not seeing how this is a backup vpn if and when a primary vpn fails.

Do the options below enforce a one way traffic on a vpn tunnel vs. two ways? which one is which?

  • answer-only—This specifies that this peer only responds to  inbound IKE connections first during the initial proprietary exchange in  order to determine the appropriate peer to which to connect.

  • bidirectional—This specifies that this peer can accept and  originate connections based on this crypto map entry. This is the  default connection type for all Site-to-Site connections.

  • originate-only—This specifies that this peer initiates the  first proprietary exchange in order to determine the appropriate peer to  which to connect.

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to network770

‎05-06-2011 05:22 AM

Hi,

On the ASA with two links, you will have the crypto map entry associated with the primary ASA and  the same crypto map entry associated with backup link.

You can check the following discussion:

https://supportforums.cisco.com/thread/2078908?decorator=print&displayFullThread=true

Hope this helps.

Regards,
Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful
Customers Also Viewed These Support Documents