08-25-2011 07:39 PM
Hi Everyone,
We are trying to make a VPN failover over two ASA's. However the 2 ASA's have different version and our smartnet have already expired. I was wondering if this VPN failover would work even if they are different? Or should I get a smartnet first to be able to download an updated ios?
ASA Version 8.0(3)6
ASA Version 7.0(6)
Anyone, please advise.
Thank you.
08-25-2011 08:00 PM
Karl,
You cannot run failover between versions like that. According to the documentation, you could run failover between the same major and minor revisions: EX 8.0(2) and 8.0(3), but not between 7.x and 8.x:
http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/failover.html#wp1155970
Hope that helps.
Sent from Cisco Technical Support iPad App
08-25-2011 08:18 PM
Creggerd, Karl is talking about VPN failover. In other words backup peers, is that right Karl?
If that is the case, and if you are doing a regular Lan to Lan tunnel, then there are no major changes on the VPN configuration between 7.0 and 8.0 you should be able to configure your remote site point to ASA A as primary and ASA B as backup and the tunnel should work either way.
I hope this helps.
Raga
08-25-2011 08:26 PM
Hi Everyone,
Well, our main line connecting the HQ and branch is a lease line and then we are planning to make a VPN failover of the two sites via internet.
So, should I go ahead and recomend a purchase of smartnet now and download an upgraded ios or not?
Thanks.
08-25-2011 08:34 PM
Ok, so you basically have ASA A running 8.0 on the HQ and ASA B running 7.0 on the branch and you want to configure a VPN tunnel between them as backup for your leased line.
That being case you can totally create a tunnel between the sites without having to upgrade the code on the 7.0.
Actually the configuration would be pretty much the same.
Here is a sample config in case you need one:
I hope this helps.
Raga
08-25-2011 08:59 PM
Hi Luis,
Thanks for the heads up. However, does making two sites connect via the site-to-site VPN will make the vpn failover work?
Kindly refer to the diagram for our planned network upgrade. (for some reason i can't attach this iamge here)
http://imageshack.us/photo/my-images/84/failovervpn.jpg/
Thanks.
08-25-2011 09:09 PM
Well, you would have to use floating routes and maybe object tracking to make the traffic re route thru the ASAs if the lease line goes down. Just by configuring the VPN tunnel the traffic would not re route automatically.
You can refer to the following link, it uses two WAN links but it might give you an idea of what you might need to do.
http://blog.initialdraft.com/archives/2269/
HTH.
08-25-2011 10:08 PM
Hi Luis,
Really appreciate the prompt reply.
Thank you so much!
08-26-2011 06:21 AM
Hey glad we could help
Please remember to mark this question as answered if you dont have any further questions.
Have fun!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide