Quick question. I have a single ASA with dual links. Each link to an ISP. Currently I have IP SLA configure to failover to the other provider if the main provider path is down. I have a branch connected to that single ASA via a site to site vpn via the primary provider. Now what i would like to do is create another VPN from the branch office to the main but using the secondary path. So if the main provider fails and the vpn goes down the branch can reach it via the secondary ISP link.
Should i create the backup vpn path just like i did on the first one and then use the same tracker to track the vpn status so that its aware when to failover? how can i get this done?
@jebanks on the HQ side you would need to enable the crypto map and ikev2/ikev1 on the second interface. And obviously ensure the IP SLA and tracking is working correctly for the failover.
On the branch you'd need to define a tunnel group for the second ISP and specify the authentication PSK/cert etc.
@jebanks on the branch configure a backup peer in the crypto map (I assume you are using a policy based VPN). Ensure you have DPD keepalives enabled to ensure the stale IPSec SA are cleared in th event of failure of the primary link.
Example:
crypto map CMAP 1 set peer 1.1.1.1 2.2.2.1
In this example a tunnel will be established to 1.1.1.1, if that fails the ASA will attempt to connect to 2.2.2.1.
@jebanks on the HQ side you would need to enable the crypto map and ikev2/ikev1 on the second interface. And obviously ensure the IP SLA and tracking is working correctly for the failover.
On the branch you'd need to define a tunnel group for the second ISP and specify the authentication PSK/cert etc.
Thanks for the help so far. I believe the advice you are giving me is like this article i found (https://www.petenetlive.com/KB/Article/0000544) which is exactly what i want to do but when i follow it and the end it says that on the HQ side i need to enable the crypto map on the backup interface like you rightfully mention but when i do so i get the below when i cry to apply my existing crypto map on the secondary link:
ERROR: crypto map has entries with reverse-route injection enabled Cannot attach to multiple interfaces
would this be due to the fact the firewall i have does not have security plus license?
@jebanks are you using RRI? If you are, perhaps try and use dynamic (append dynamic keyword to the configuration), however you need to use IKEV2 to use dynamic.
If that doesn't work use a route based VPN with2 VTIs.
Sorry for my lack of knowledge what you mean by RRI? and how would a dynamic be? Currently its ikev1. Also, not sure what is VTIs but will check it out.
When i google what is RRI- From the definition of Reverse Route Injection, I have understood that it creates static route entries for remote vpn destinations in VPN gateway, so that it can redistribute the routes into into it's local network. would this be cause of the remote vpn that exist on the ASA? is there a command to validate that?
@jebanks RRI will create static routes on the ASA, which could be redistributed using a routing protocol. Are you redistributing these routes? Do you need to?
@Rob and @MHM Cisco World it works when i disable to RRI but now when the main link is back up I notice i have to bounce the VPN connection so that it can fail over back. Where in the vpn i would call the SLA?
@jebanks once the primary interface is up, the ASA Firewall should automatically terminate the connection on the backup interface, the VPN should subsequently be cleared from both ASAs and the VPN should be re-established to the primary peer.
The SLA and track needs to be configured on the HQ Firewall.
