cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7926
Views
0
Helpful
8
Replies

VPN redundancy - backup peer with different ASA?

Srikanth89
Level 1
Level 1

hi all,

 

Could you please advise if we can have ipsec vpn redundancy with a different ASA at a different location altogether?

 

I have an ASA at my end - 10.10.10.1

 

Other end

Palo Alto Firewall 1 - 192.168.1.1

Palo Alto Firewall 1 - 172.16.1.2

 

Currently have a ipsec vpn between 10.10.10.1 and 192.168.1.2

 

Can i have a redundancy for the ipsec vpn, if and only if my peer firewall 1 fails, so that it connects to the second peer?

 

I tried adding it as secondary peer ip address in the crypto map command like we do it for dual isp redundancy but it fails.

 

Kindly need your advise asap..please..

8 Replies 8

ghostinthenet
Level 7
Level 7

Create a second crypto map entry with a higher sequence number and the same parameters as the original. If the IKE/IPSec negotiation fails on the lower sequence, the higher sequence will engage. Low lifetimes and keepalives are good here in order to make sure that a failure is detected quickly.

Having 2 crypto map entries will not work if the same crypto ACL (proxies) entries are used for both. The traffic will always try to match the first crypto map entry if initiated from the ASA. This will never match the second crypto map to initiate the tunnel.

 

If the other end initiates the tunnel, the IKE and IPSEC tunnel will establish. But when encrypted traffic has to match a tunnel, it will still try to match the first entry and kick start IKE to the first peer again. 

Odd. We're using different sequence crypto maps for redundancy at a couple of customers and they're working just fine. Admittedly, we're not using IKEv2, so that may change things up somewhat.

Interesting. Maybe you have different crypto ACLs in both sequences? From an IKEv1 perspective, all you need is the backup peer ( "set peer x.x.x.x y.y.y.y") to fall back to the second peer. 

thanks for your replies guys..

 

i have tried adding both peer ip addresses but it forms tunnels with both peers at the same time when both peers are up and functional and eventually there is no traffic flow..with the case of a dual isp on the peer, it forms the tunnel with the secondary peer only if primary fails and i assumed the same concept applies here?

 

And it is IKEV1 to be clear..

Depends on who initiates the tunnel. If the second peer on the other side initiates the tunnel, you could have a situation with tunnels to 2 peers. Can you run a debug and see who initiates both tunnels? The second peer should only be sending traffic when primary fails.

Rahul Govindan
VIP Alumni
VIP Alumni

This is not possible if you use ikev2. ikve2 on the ASA does not support backup peers:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCud22276/?referring_site=bugquickviewredir