Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
785
Views
5
Helpful
3
Replies

VPN failover preference

network770
Level 1
Level 1

‎09-23-2013 07:38 PM

I have a vpn tunnel with the following setup:

crypto map remotevpn 11 set peer <peer1> <peer2>

tunnel-group <peer1> type ipsec-l2l

tunnel-group <peer1>  ipsec-attributes

pre-shared-key abc

tunnel-group <peer2> type ipsec-l2l

tunnel-group <peer2>  ipsec-attributes

pre-shared-key abc

does the above imply that <peer1> will always be the primary vpn tunnel and only if this ip address is not available for whatever reason the firewall will attemp to establish a tunnel with <peer2>?

I'm under this assumption however my firewall is always trying to use <peer2> as its primary, I clear isakmpsa but the tunnel is always preferring peer2.

How do I choose peer1 to the primary and let the firewall choose peer2 ONLY if the peer1 (remote) firewall goes down?

Labels:
0 Helpful
3 Replies 3

shine pothen
Level 3
Level 3

‎09-23-2013 11:34 PM

Hello Ronni,

you can follow this doc for setting up primary and secondary ISP link

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

0 Helpful

shine pothen
Level 3
Level 3

‎09-23-2013 11:38 PM

you can try this doc as well

https://supportforums.cisco.com/community/netpro/security/vpn/blog/2011/04/25/ipsec-vpn-redundancy-failover-over-redundant-isp-links

a quick check list is

Floating routes, crypto map with a secondary and primary peer and a tunnel-group for each peer as well

0 Helpful

Jeet Kumar
Cisco Employee
Cisco Employee

‎09-24-2013 09:02 AM

Hi Ronni,

Your assumption was right, thats the way it works whichever IP is configured first will be used as the Primary VPN peer. In case if its not available then it would fall back to the secondary IP.

In case if you are seeing the connection is always building up with the secondary IP that means problem is at the other end and i am pretty sure if you run the following debugs " debug cry isa 125", "debug cry ipsec 125" it will show you that he is trying to build the tunnel with the primary IP first and when getting no response it is falling back to the secondary One. Make sure whatever IP you have configured as primary is also a primary IP at the remote end.

Thanks

Jeet Kumar

Customers Also Viewed These Support Documents