09-14-2011 12:21 AM
Hi,
currently we have deployed site to site vpn between 2 asa 5510 model. one is corporate site and one is remote site. now we plan to use radware load balancer in which 2 isp will terminate. now if at a remote site wecreate only 1 ipsec tunnel and mention sigle isp peering. if one isp fails at corporate how
remote site will be access by site to site vpn through 2 isp vpn. what thing we need to do over asa as well as load balancer at both end
Regards,
Rajat
09-14-2011 01:05 AM
Hi Rajat,
In your case, I think the easiest way would be to have 2 ipsec tunnels between your corp and remote site, each tunnel on different ISP. Now, use either routing protocols, or static route with tracking for example, so that if one of the ISP is down, the tunnel will be down, and routing will adjust automatically.
09-14-2011 01:17 AM
Hi,
i think it is not possible to do by tracking in corp office. i have 5 ipsec vpn location . i need there should be some mechanism to do it by remote location ipsec tunnel. if one remote tunnel built ove one isp is down then second remote tunnel over same firewall should take charge i mean i will creat another tunnel over remote location but i dont know how both tunnel can be primary and secondry behaviour judge by firewall .
i have one internet leased line at remote location. two internet leased line at corporate office.
09-14-2011 01:37 AM
Hi Rajat,
What I was saying was relating to the remote office part.
If I understood, you have your corp site that have 2 ISP connexion, and your remote sites that have only one connexion.
In that case, since you have ASA, it won't be that easy to create 2 tunnels that load balance traffic using routing, and in the end if you have only one internet connection on the ASA it won't make that much sense.
What you can do is to add multiple set peer statement in your crypto map on remote site, along with isakmp dead peer detection, so if the connection to the public IP of the corp site ISP1 fail, the ASA will try to establish tunnel to the other public IP.
09-14-2011 01:46 AM
HI,
i am ok to add 2 set peer with dead peer in the remote office tunnel which includes my ip address of 2 intenet leased line terminated at corp office but in which order i should add peer ip address . suppose my primary isp is sify and secondary isp is reliance i will add first peer statement sify ip address and next peer ip address statement relianc ip address.
when asa tunnel end statement executes, will it automatically detect. when peer ip with sify will execute it will establish tunnel with sify. it will not try to create tunnel with reliance ip.
can you send any document or link for refernce
thanks a lot for your kind support.
regards,
rajat
09-14-2011 02:33 AM
Hi Rajat,
I'm sorry, but I didn't found such document, however, you may take a look at this post:
https://supportforums.cisco.com/thread/63796
Even old, I don't think it has changed.
09-14-2011 09:22 PM
Hi,
any body can help me out for this query.
Regards,
Rajat
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide