Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1355
Views
0
Helpful
8
Replies

VPN Failover on different ASA version

justanotherdayintheoffice
Level 1
Level 1

ā€Ž08-25-2011 07:39 PM

Hi Everyone,

We are trying to make a VPN failover over two ASA's. However the 2 ASA's have different version and our smartnet have already expired. I was wondering if this VPN failover would work even if they are different? Or should I get a smartnet first to be able to download an updated ios?

ASA Version 8.0(3)6

ASA Version 7.0(6)

Anyone, please advise.

Thank you.

Labels:
0 Helpful
8 Replies 8

creggerd
Level 1
Level 1

ā€Ž08-25-2011 08:00 PM

Karl,

You cannot run failover between versions like that. According to the documentation, you could run failover between the same major and minor revisions: EX 8.0(2) and 8.0(3), but not between 7.x and 8.x:

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/failover.html#wp1155970

Hope that helps.

Sent from Cisco Technical Support iPad App

0 Helpful

raga.fusionet
Level 4
Level 4
In response to creggerd

ā€Ž08-25-2011 08:18 PM

Creggerd, Karl is talking about VPN failover. In other words backup peers, is that right Karl?

If that is the case, and if you are doing a regular Lan to Lan tunnel,  then there are no major changes on the VPN configuration between 7.0 and 8.0 you should be able to configure your remote site point to ASA A as primary and ASA B as backup and the tunnel should work either way.

I hope this helps.

Raga

0 Helpful

justanotherdayintheoffice
Level 1
Level 1
In response to raga.fusionet

ā€Ž08-25-2011 08:26 PM

Hi Everyone,

Well, our main line connecting the HQ and branch is a lease line and then we are planning to make a VPN failover of the two sites via internet.

So, should I go ahead and recomend a purchase of smartnet now and download an upgraded ios or not?

Thanks.

0 Helpful

raga.fusionet
Level 4
Level 4
In response to justanotherdayintheoffice

ā€Ž08-25-2011 08:34 PM

Ok, so you basically have ASA A running 8.0 on the HQ   and ASA B running 7.0 on the branch and you want to configure a VPN tunnel between them as backup for your leased line.

That being case you can totally create a tunnel between the sites without having to upgrade the code on the 7.0.

Actually the configuration would be pretty much the same.

Here is a sample config in case you need one:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml

I hope this helps.

Raga

0 Helpful

justanotherdayintheoffice
Level 1
Level 1
In response to raga.fusionet

ā€Ž08-25-2011 08:59 PM

Hi Luis,

Thanks for the heads up. However, does making two sites connect via the site-to-site VPN will make the vpn failover work?

Kindly refer to the diagram for our planned network upgrade. (for some reason i can't attach this iamge here)

http://imageshack.us/photo/my-images/84/failovervpn.jpg/

Thanks.

0 Helpful

raga.fusionet
Level 4
Level 4
In response to justanotherdayintheoffice

ā€Ž08-25-2011 09:09 PM

Well, you would have to use floating routes and maybe object tracking to make the traffic re route thru the ASAs if the lease line goes down. Just by configuring the  VPN tunnel the traffic would not re route automatically.

You can refer to the following link, it uses two WAN links but it might give you an idea of what you might need to do.

http://blog.initialdraft.com/archives/2269/

HTH.

0 Helpful

justanotherdayintheoffice
Level 1
Level 1
In response to raga.fusionet

ā€Ž08-25-2011 10:08 PM

Hi Luis,

Really appreciate the prompt reply.

Thank you so much!

0 Helpful

raga.fusionet
Level 4
Level 4
In response to justanotherdayintheoffice

ā€Ž08-26-2011 06:21 AM

Hey glad we could help

Please remember to mark this question as answered if you dont have any further questions.

Have fun!

0 Helpful
Customers Also Viewed These Support Documents