Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7920
Views
0
Helpful
8
Replies

VPN redundancy - backup peer with different ASA?

Srikanth89
Level 1
Level 1

‎03-06-2018 07:10 AM - edited ‎03-12-2019 05:05 AM

hi all,

 

Could you please advise if we can have ipsec vpn redundancy with a different ASA at a different location altogether?

 

I have an ASA at my end - 10.10.10.1

 

Other end

Palo Alto Firewall 1 - 192.168.1.1

Palo Alto Firewall 1 - 172.16.1.2

 

Currently have a ipsec vpn between 10.10.10.1 and 192.168.1.2

 

Can i have a redundancy for the ipsec vpn, if and only if my peer firewall 1 fails, so that it connects to the second peer?

 

I tried adding it as secondary peer ip address in the crypto map command like we do it for dual isp redundancy but it fails.

 

Kindly need your advise asap..please..

Labels:
0 Helpful
8 Replies 8

ghostinthenet
Level 7
Level 7

‎03-06-2018 08:30 AM

Create a second crypto map entry with a higher sequence number and the same parameters as the original. If the IKE/IPSec negotiation fails on the lower sequence, the higher sequence will engage. Low lifetimes and keepalives are good here in order to make sure that a failure is detected quickly.

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to ghostinthenet

‎03-06-2018 08:43 AM

Having 2 crypto map entries will not work if the same crypto ACL (proxies) entries are used for both. The traffic will always try to match the first crypto map entry if initiated from the ASA. This will never match the second crypto map to initiate the tunnel.

 

If the other end initiates the tunnel, the IKE and IPSEC tunnel will establish. But when encrypted traffic has to match a tunnel, it will still try to match the first entry and kick start IKE to the first peer again. 

0 Helpful

ghostinthenet
Level 7
Level 7
In response to Rahul Govindan

‎03-06-2018 08:50 AM

Odd. We're using different sequence crypto maps for redundancy at a couple of customers and they're working just fine. Admittedly, we're not using IKEv2, so that may change things up somewhat.
0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to ghostinthenet

‎03-06-2018 08:57 AM

Interesting. Maybe you have different crypto ACLs in both sequences? From an IKEv1 perspective, all you need is the backup peer ( "set peer x.x.x.x y.y.y.y") to fall back to the second peer. 

0 Helpful

Srikanth89
Level 1
Level 1
In response to Rahul Govindan

‎03-08-2018 02:09 AM

thanks for your replies guys..

 

i have tried adding both peer ip addresses but it forms tunnels with both peers at the same time when both peers are up and functional and eventually there is no traffic flow..with the case of a dual isp on the peer, it forms the tunnel with the secondary peer only if primary fails and i assumed the same concept applies here?

 

0 Helpful

Srikanth89
Level 1
Level 1
In response to Srikanth89

‎03-08-2018 02:10 AM

And it is IKEV1 to be clear..

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Srikanth89

‎03-12-2018 08:32 AM

Depends on who initiates the tunnel. If the second peer on the other side initiates the tunnel, you could have a situation with tunnels to 2 peers. Can you run a debug and see who initiates both tunnels? The second peer should only be sending traffic when primary fails.

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni

‎03-06-2018 08:40 AM

This is not possible if you use ikev2. ikve2 on the ASA does not support backup peers:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCud22276/?referring_site=bugquickviewredir

 

0 Helpful
Customers Also Viewed These Support Documents