ā02-09-2023 12:19 PM
Hi Team:
Quick question. I have a single ASA with dual links. Each link to an ISP. Currently I have IP SLA configure to failover to the other provider if the main provider path is down. I have a branch connected to that single ASA via a site to site vpn via the primary provider. Now what i would like to do is create another VPN from the branch office to the main but using the secondary path. So if the main provider fails and the vpn goes down the branch can reach it via the secondary ISP link.
Should i create the backup vpn path just like i did on the first one and then use the same tracker to track the vpn status so that its aware when to failover? how can i get this done?
Solved! Go to Solution.
ā02-09-2023 01:50 PM
@jebanks on the HQ side you would need to enable the crypto map and ikev2/ikev1 on the second interface. And obviously ensure the IP SLA and tracking is working correctly for the failover.
On the branch you'd need to define a tunnel group for the second ISP and specify the authentication PSK/cert etc.
ā02-10-2023 01:31 PM
http://networkerslog.blogspot.com/2011/04/reverse-route-injection-for-remote.html
Chech this link you must disable RRI first
Update us if it not working
ā02-09-2023 12:26 PM - edited ā02-09-2023 01:51 PM
@jebanks on the branch configure a backup peer in the crypto map (I assume you are using a policy based VPN). Ensure you have DPD keepalives enabled to ensure the stale IPSec SA are cleared in th event of failure of the primary link.
Example:
crypto map CMAP 1 set peer 1.1.1.1 2.2.2.1
In this example a tunnel will be established to 1.1.1.1, if that fails the ASA will attempt to connect to 2.2.2.1.
This example shows you the branch side cfg. https://integratingit.wordpress.com/2020/05/21/asa-multi-peer-vpn/
ā02-09-2023 01:31 PM
ā02-09-2023 01:38 PM
@jebanks yes, that example I provided would be defined on the branch side.
ā02-09-2023 01:43 PM
and at the HQ side would be another vpn configuration like i did for the first one right?
ā02-09-2023 01:50 PM
@jebanks on the HQ side you would need to enable the crypto map and ikev2/ikev1 on the second interface. And obviously ensure the IP SLA and tracking is working correctly for the failover.
On the branch you'd need to define a tunnel group for the second ISP and specify the authentication PSK/cert etc.
ā02-10-2023 01:08 PM - edited ā02-10-2023 01:09 PM
hi Rob:
Thanks for the help so far. I believe the advice you are giving me is like this article i found (https://www.petenetlive.com/KB/Article/0000544) which is exactly what i want to do but when i follow it and the end it says that on the HQ side i need to enable the crypto map on the backup interface like you rightfully mention but when i do so i get the below when i cry to apply my existing crypto map on the secondary link:
ERROR: crypto map has entries with reverse-route injection enabled
Cannot attach to multiple interfaces
would this be due to the fact the firewall i have does not have security plus license?
ā02-10-2023 01:16 PM
@jebanks are you using RRI? If you are, perhaps try and use dynamic (append dynamic keyword to the configuration), however you need to use IKEV2 to use dynamic.
If that doesn't work use a route based VPN with2 VTIs.
ā02-10-2023 01:20 PM
Sorry for my lack of knowledge what you mean by RRI? and how would a dynamic be? Currently its ikev1. Also, not sure what is VTIs but will check it out.
ā02-10-2023 01:26 PM
RRI = reverse route injection.
If you aren't using it then perhaps remove it, then you can enable crypto on the second interface.
ā02-10-2023 01:33 PM
When i google what is RRI- From the definition of Reverse Route Injection, I have understood that it creates static route entries for remote vpn destinations in VPN gateway, so that it can redistribute the routes into into it's local network. would this be cause of the remote vpn that exist on the ASA? is there a command to validate that?
ā02-10-2023 01:38 PM
@jebanks RRI will create static routes on the ASA, which could be redistributed using a routing protocol. Are you redistributing these routes? Do you need to?
https://integratingit.wordpress.com/2022/01/01/asa-reverse-route-injection-rri/
ā02-10-2023 01:31 PM
http://networkerslog.blogspot.com/2011/04/reverse-route-injection-for-remote.html
Chech this link you must disable RRI first
Update us if it not working
ā02-11-2023 07:50 AM
@Rob and @MHM Cisco World it works when i disable to RRI but now when the main link is back up I notice i have to bounce the VPN connection so that it can fail over back. Where in the vpn i would call the SLA?
ā02-11-2023 07:54 AM - edited ā02-11-2023 11:24 AM
@jebanks once the primary interface is up, the ASA Firewall should automatically terminate the connection on the backup interface, the VPN should subsequently be cleared from both ASAs and the VPN should be re-established to the primary peer.
The SLA and track needs to be configured on the HQ Firewall.
What have you configured and on what device?
Provide your configuration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide