cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2128
Views
0
Helpful
18
Replies
ciscobigcat
Beginner

VPN redundancy

I have a scenario where I have 2 ISPs each connected to a different 800 router. The inside network is a single one (10.10.10.0/24). This is a single office and this single office has a L2L tunnel with another office (Office-2). How do I configure load-balance and failover and still keep the tunnel up if one of the ISPs goes down?

2 ACCEPTED SOLUTIONS

Accepted Solutions

ciscobigcat,

I just asked one of the switching experts I worked with and he told me that the 4500s can not handle GRE tunnel even though they are L3 switches.  So that would not work for you. 6500's or even the 3700 series switches should be able to do it no problem, but you should talk to your local sales rep to confirm it.

You can absolutely send a tunnel over another tunnel.  The concept there is that you would build a GRE tunnel between a loopback on the router behind the ASA to a loopback on router-1.  Then you build plain ipsec tunnel between router-1 and the ASA that would match all ip traffic between the loopback on router-1 to the loopback on the router behind the ASA.

View solution in original post

ciscobigcat,

You can source the gre tunnels from any interface, generally it is a good idea to source them for a loopback but since you already have the lan-to-lan tunnel up and working you can simply source it from the vlan 2 interface.

on remote router

config t

int tunnel 1

    ip mtu 1400

    ip address x.x.x.x 255.255.255.252

    tunnel source vlan 2

    tunnel destination 10.20.20.y

Where x.x.x.x is a new subnet just for the tunnel and y is the ip address of the 2600 at the head end.

On the 2600 you just do the reverse

config t

int tunnel 1

     ip mtu 1400

     ip address x.x.x.x+1 255.255.255.252

     tunnel source eth 0/0

     tunnel destination 10.10.10.5

then you can do your regular routing protocols across the link just as if it was a virtual link between the two sites.

-Jay

View solution in original post

18 REPLIES 18

Hi,

You can configure the crypto map on both interfaces facing the internet (ISP 1 and ISP 2).

Configure routing so that ISP 1 is always preferred over ISP 2.

Configure IP SLA to track the state of each connection.

What you would end up having is that the tunnel always establishes using ISP 1 but if it fails, the tunnel will establish via ISP 2 (and will rollback to ISP 1 when it recovers). VPN redundancy (but not really load-balancing).

Federico.

I was really looking for both. How about GLBP on the inside? The only thing that gets me is how to keep both tunnels up at all the times?

You can configure something like GLBP to load balance and failover traffic but the issue as you mentioned is can't have both tunnels established at the same time.

For VPN you can do server load balancing which is to accept remote connections and distribute the VPN traffic among more than 1 device.

But, from the same source IP to the same destination IP, the router can load-balance traffic but not establish two simultaneous tunnels (as far as I know).

Federico.

This is the scenario: Branch_Site has 2 ISPs, each connected to an 800 router. Both routers LAN interfaces sit on the same switch which has a single internal network (10.10.10.0/24). GLBP is enable on the inside and it is working smooth. We are accomplishing load-balancing (although I don't know yet whether GLBP is doing it via per-packet or per-destination) load-sharing and redundancy. But as far as the L2L tunnel goes, we tried but again we can't get the tunnels to stay up at the same time.

The other end of that tunnel is a single 2800. Here we created 2 cryptos each pointing to ISP1 and ISP2 of the Branch_Site. It is confusing because from the 2800 perspective, we can have the 2 tunnels up because each crypto points to a different peer, however the interesting traffic behind those peers at the branch are the same.

Can you explain a bit more the option of the VPN server?  Which end will be setup as the server? I guess it will be the branch which has the 2 routers... are you saying to setup this branch office as a VPN server headend and do load-sharing between the 2 ISPs?

Thank you for the help so far

Maybe you could set the 2800 as a DMVPN HUB and the 800 series as the spokes, and then run some dyanimc routing protocol(eigrp, ospf) over VPN for equal cost load balancing and failover.

What do you think Federico?

Regards,

Oszkar

I was thinking solely on IPsec VPN, but Oszcar is correct.

You can definitely configure a simple DMVPN topology to accomplish what you need :-)

Get back to us if needing any help with this.

Federico.

Guys, I was reading about DMVPN. Although it sounds heavy, at the end it could be a very simple thing to do. But I have no experience on that. Could you guys provide the config? One key item about DMVPN is scalability; this is great as I will have the ability to add spokes on the fly.

Meanwhile, I was able to get this working on this scenario. I used a dynamic routing protocol, EIGRP, and now I can keep both tunnels up and accomplish load-balancing and failover. It is working smooth and looks great when I issue a "sh ip route" on the 800 routers. The output shows 2 equal cost routes to the private LAN behind the 2800. I had some help from tac and when I asked them about this, they said whenever there are 2 equally cost routes, the router will perform load-sharing. Again this is great given that GLBP is already doing its thing on the inside at the 800 routers side. If any of these 800 boxes goes, or maybe the power source experiences an outage, the other 800 side will still be up, as well as the tunnel.

But aside from the happines, I was asked to implement the same cool stuff at another scenario.  Here, there are also 2 routers at one end, however at the headend there is an ASA5520. I know firewalls dont support any deep routing, but I dont know about the ASAs. Cisco threw in some routing features on these platforms but I'd like to know if the ASA has enough routing to deploy EIGRP just like I did with the other scenario.

Thank you in advanced for the help.

Take a look to the link below. You will find some example configs too:

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html#wp37712

Regarding the second scenario with the ASA at the head end, it will be way more challenging.
Contrary to IOS, ASA doesn't support the tunnel interface approach, hence it's support for dynamic routing over vpn is very limited.

Although I have never tried, ASA does support unicast OSPF over ipsec. Probably it has some restrictions in the way it can be implemented, but maybe you could give it a try. I can't see any other way to obtain vpn load balancing/redundancy in  your case.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

A spare router at the head end would solve everything:)

Regards,
Oszkar

How will you approach this on the ASA scenario? in the first scenario, I got to wrap GRE over IPSec and all is good. Here the crypto acl have the peer public IPs and then the tunnel interfaces come in and do their magic along with EIGRP.

How is the approach with OSPF?

Ciscobigcat,

The ASA won't be able to do the load-balancing as you want it to.  In a crypto map the ASA uses the first entry that the "match address" line matches the interesting traffic.  As a result you can't have entry 10 point to the ISP1 peer and entry 20 point to the ISP2 peer.  To be able to do the load balancing and dynamically shift the traffic you will want to run simple point to point GRE tunnels over the lan to lan ipsec tunnels terminated by the ASA.  Naturally you will need a router sitting behind the ASA since the ASA doesn't support GRE tunnels.

-Jay

I see. The scenario is what it is right now... meaning ASA at HUB and 2 routers at branch. Since this is somewhat not supported on the ASAs, and the main thing is already being accomplished at the branch (load-balance and redundancy), then I'd like to know if the following is possible: on the branch side, where the 2 routers are each connected to ISP1 and ISP2 respectively, and GLBP is working great at the inside network, can we have the L2L tunnel from router-1 (connected to ISP1) on the branch to the ASA at the hub? As you know, keeping the tunnel up form router1 to the ASA is not a problem. On the ASA, we'll configure the crypto with primary and secondary peer IPs. Peer one IP address will be that of branch ISP1 and secondary peer IP address will be that of the ISP2 at that branch.

This a perfect scenario IF the router2 connected to ISP2 is set as a "stand" by, perhaps in an HSRP scenario. BUT, since we have GLBP, packets will be sent towards the private LAN of the ASA from both routers. This will make the ASA very confused and we will have unexpected behaviors. So, is there a way, to maintain GLBP on the branch side and tell the routers that to reach the private LAN of the ASA, send the packets over router-1. Here, can we then have some sort of SLAs to track the tunnel and if the track fails, send those packets destined to ASA LAN to router-2? and on the router-2, can we have the same SLAs because packets that will reach this router destined to ASA private LAN, will want to go out and reach the ASA and thus will cause the tunnel from this router-2 to the ASA to try to come up and form?

Can this be done? this way, we control the tunnel from the branch and only let router-2 come up and form the tunnel with the ASA if something happens to router-1. ASA will then work as expected meaning that it peer 1 is not reachable, it will then use peer 2

thanks for the help

ciscobigcat,

Your analysis is correct.  In respect to having router-2 at the spoke site point it's route for the ASA private lan to the router-1 inside ip address I *think* that you might be able to configure something like the following.  I have not tried it nor know if it is possible, this is just an idea.

1)  Configure a tracking object that tracks the priority of the glbp peer. I.E. track that is X

2)  put a static route in using the tracking object that points the next hop of the asa's private lan as the inside of router-1

In this case when the glbp peer decrements it's priority or disappears router-2 will remove its static route and then follow it's default route out it's internet connect.  At this point it will be caught by the crypto map and the tunnel will build from router-2.

I hope that makes sense.  Personally I would recommend in using gre/ipsec tunnels to a router behind the ASA with a routing protocol.

-Jay

Jay thank you for those input. I think I am getting somewhere here. If you could illustrate those steps for me, that will be great... I mean the actual code.

One thing I do know is that if it wasnt for this ASA, and instead I can put another router there, this will be piece of cake. But on that end of the tunnel, I can't move that ASA out of there.

Your other suggestion is seducing me. I don't have any routers or L3 devices behind that ASA, however pretty soon I will be deploying an L3 device and I will make that the core switch. This switch will be directly behind the ASA. Let me ask you, are these 4500 switches capable of having some GRE stuff. What I take from your suggestion is that I should keep the ASA at the perimeter as it is right now, have this ASA do the IPSec with the 800 located at the other side, and then throw in GRE on a device behind the ASA (in this case, can i do this in the 4500?) But GRE is also a tunnel and this is where I am getting a bit confused...  will this 4500 GRE tunnel (if supported) be able to form a gre tunnel with the 800 router located at the other side? Wouldn't the IPSec tunnel already being done from this 800 router and the ASA conflict? Is this a supported thing? Meaning that I setup the L2L IPSec tunnel between the ASA and the 800 router, and then throw in a GRE tunnel between the 800 and the 4500? I think it is pretty cool, I havent done it this way, and I want to predict that the answer is yes, that it is doable, but can you confirm?

thank you again

ciscobigcat,

I just asked one of the switching experts I worked with and he told me that the 4500s can not handle GRE tunnel even though they are L3 switches.  So that would not work for you. 6500's or even the 3700 series switches should be able to do it no problem, but you should talk to your local sales rep to confirm it.

You can absolutely send a tunnel over another tunnel.  The concept there is that you would build a GRE tunnel between a loopback on the router behind the ASA to a loopback on router-1.  Then you build plain ipsec tunnel between router-1 and the ASA that would match all ip traffic between the loopback on router-1 to the loopback on the router behind the ASA.

View solution in original post

Content for Community-Ad