VPN Failover within the same ASA

bwgray · ‎05-22-2009

Hi Everyone,

I'm working out a concept here and want to know if this can be done. On an ASA I would like to have 2 different interfaces connect to 2 different ISP's - one primary, one backup. As well I will be running VPN tunnels across the links.

What I want to know is if I have a tunnel established over ISP A to our remote site, and it fails, is there a way to have the state information and tunnel moved over to ISP B, on the same ASA device?

Thanks!

mvsheik123 · ‎05-22-2009

Hi,

You need to go with tracking the primary ISP config.. someone posted the attached longtime back and I saved it..(so if this is helpful..say thanks to them..;-))

Also, I don't think 'state' information will moved over withouttearing down the existing connections..

hth

MS

bwgray · ‎05-22-2009

Thanks MS,

Unfortunately I have the need of being able to send the state information over to the other port as well - if possible.

I know there is "juni***" gear that can do this, but I'm not sure if the ASA's can or cannont - currently we're running ASA's.

My goal is to not only have a backup link for the sites, but aslo the VPN tunnel moved over automatically as well - as the reestablishment of these sessions cause great issues with the customers...

Thanks!

paul · ‎05-22-2009

This would actually require some functionality that I don't believe is in the client either. The client has to know to tunnel to a different IP address to meet this need. Correct? There is an option for backup servers, but I don't think that is stateful.

bwgray · ‎05-23-2009

Hi Paul,

That is correct. The client needs to tunnel through a different ISP which would mean that there is a different ISP in use. I'm not sure if it's possible, but thought I would see if anyone has come across this before...