09-23-2013 07:38 PM
I have a vpn tunnel with the following setup:
crypto map remotevpn 11 set peer <peer1> <peer2>
tunnel-group <peer1> type ipsec-l2l
tunnel-group <peer1> ipsec-attributes
pre-shared-key abc
tunnel-group <peer2> type ipsec-l2l
tunnel-group <peer2> ipsec-attributes
pre-shared-key abc
does the above imply that <peer1> will always be the primary vpn tunnel and only if this ip address is not available for whatever reason the firewall will attemp to establish a tunnel with <peer2>?
I'm under this assumption however my firewall is always trying to use <peer2> as its primary, I clear isakmpsa but the tunnel is always preferring peer2.
How do I choose peer1 to the primary and let the firewall choose peer2 ONLY if the peer1 (remote) firewall goes down?
09-23-2013 11:34 PM
Hello Ronni,
you can follow this doc for setting up primary and secondary ISP link
09-23-2013 11:38 PM
you can try this doc as well
a quick check list is
Floating routes, crypto map with a secondary and primary peer and a tunnel-group for each peer as well
09-24-2013 09:02 AM
Hi Ronni,
Your assumption was right, thats the way it works whichever IP is configured first will be used as the Primary VPN peer. In case if its not available then it would fall back to the secondary IP.
In case if you are seeing the connection is always building up with the secondary IP that means problem is at the other end and i am pretty sure if you run the following debugs " debug cry isa 125", "debug cry ipsec 125" it will show you that he is trying to build the tunnel with the primary IP first and when getting no response it is falling back to the secondary One. Make sure whatever IP you have configured as primary is also a primary IP at the remote end.
Thanks
Jeet Kumar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide