Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1011
Views
0
Helpful
6
Replies

vpn load balancing

r.kukreja
Level 1
Level 1

‎09-14-2011 12:21 AM

Hi,

currently we have deployed site to site vpn between 2 asa 5510 model. one is corporate site and one is remote site. now we plan to use radware load balancer in which 2 isp will terminate. now if at a remote site wecreate only 1 ipsec tunnel and mention sigle isp peering. if one isp fails at corporate how

remote site will be access by site to site vpn through 2 isp vpn. what thing we need to do over asa as well as load balancer at both end

Regards,

Rajat

Labels:
0 Helpful
6 Replies 6

Bastien Migette
Cisco Employee
Cisco Employee

‎09-14-2011 01:05 AM

Hi Rajat,

In your case, I think the easiest way would be to have 2 ipsec tunnels between your corp and remote site, each tunnel on different ISP. Now, use either routing protocols, or static route with tracking for example, so that if one of the ISP is down, the tunnel will be down, and routing will adjust automatically.

0 Helpful

r.kukreja
Level 1
Level 1
In response to Bastien Migette

‎09-14-2011 01:17 AM

Hi,

i think it is not possible to do by tracking in corp office. i have 5 ipsec vpn location . i need there should be some mechanism to do it by remote location ipsec tunnel. if one remote tunnel built ove one isp is down then second remote tunnel over same firewall should take charge i mean i will creat another tunnel over remote location but i dont know how both tunnel can be primary and secondry behaviour judge by firewall .

i have one internet leased line at remote location. two internet leased line at corporate office.

0 Helpful

Bastien Migette
Cisco Employee
Cisco Employee
In response to r.kukreja

‎09-14-2011 01:37 AM

Hi Rajat,

What I was saying was relating to the remote office part.

If I understood, you have your corp site that have 2 ISP connexion, and your remote sites that have only one connexion.

In that case, since you have ASA, it won't be that easy to create 2 tunnels that load balance traffic using routing, and in the end if you have only one internet connection on the ASA it won't make that much sense.

What you can do is to add multiple set peer statement in your crypto map on remote site, along with isakmp dead peer detection, so if the connection to the public IP of the corp site ISP1 fail, the ASA will try to establish tunnel to the other public IP.

0 Helpful

r.kukreja
Level 1
Level 1
In response to Bastien Migette

‎09-14-2011 01:46 AM

HI,

i am ok to add 2 set peer with dead peer in the remote office tunnel which includes my ip address of 2 intenet leased line terminated at corp office but in which order i should add peer ip address . suppose my primary isp is sify and secondary isp is reliance i will add first peer statement sify ip address and next peer ip address statement relianc ip address.

when asa tunnel end statement executes, will it automatically detect. when peer ip with sify will execute it will establish tunnel with sify. it will not try to create tunnel with reliance ip.

can you send any document or link for refernce

thanks a lot for your kind support.

regards,

rajat

0 Helpful

Bastien Migette
Cisco Employee
Cisco Employee
In response to r.kukreja

‎09-14-2011 02:33 AM

Hi Rajat,

I'm sorry, but I didn't found such document, however, you may take a look at this post:

https://supportforums.cisco.com/thread/63796

Even old, I don't think it has changed.

0 Helpful

r.kukreja
Level 1
Level 1
In response to Bastien Migette

‎09-14-2011 09:22 PM

Hi,

any body can help me out for this query.

Regards,

Rajat

0 Helpful
Customers Also Viewed These Support Documents