07-11-2007 12:34 AM - edited 02-21-2020 03:08 PM
Hi all,
the scenario as following, I have two sites assuming (A & B) in site A I have one ASA and in site B I have two ASAs serve the same internal network segments (VLANs) but each connected to different ISP from the outside interface point of view. the plan to establish IPSec tunnel btw the two sites and here the question raised, how could we configure the two ASAs in site B to be in failover only for IPSec tunnels !! or let me phrase me question in different way, how could we manage to configure a single ASA to establish IPSec tunnels with two stand alone ASAs in case the 1st one failed the other take over the responsibility to act as IPSec termination point !!
Appreciate your coordination in advanced..
07-11-2007 03:27 AM
Hi
The simplest thing to do would be to replicate you rconfiguration between the 2 standalone ASA devices and then on the single Asa under the crypto map settings you can enter 2 peer statements eg.
crypto map vpn-set 1 set peer "first ASA IP address"
crypto map vpn-set 1 set peer "second ASA IP address"
The ASA will try the peers in order.
HTH
Jon
07-12-2007 07:30 AM
You also have to set the VPN at site A to answer only, and the two at the site B to answer only. This means, though, that site A always has to bring up the tunnel. You can make a ping script on site A to keep the tunnel up to combat this...
07-14-2007 02:05 AM
Hi,
To accomplish the task of setting the VPN at both sites to answer only, is it required further configuration than normal VPN IPSec parameters !!
I'm newbie to ping scribt, could u plz shed more light on this, if u have sample this will be high appreciated.
Regards,
Belal
07-16-2007 07:03 AM
To set it to originate/answer only, use the following crypto map lines..
crypto map outside_map 20 set connection-type originate-only
crypto map outside_map 20 set connection-type answer-only
For the ping script, you may have to look on line or make it via Perl. (can't really help with that)..
***********PLEASE RATE******************
Cheers.
Jay
07-16-2007 02:33 PM
hi guys,
well if possible upgrade to 8.0 this will help you alot. because this was the bug or u can say limitation of 7.2 IOS in PIX or ASA u cannot specify 2 peer. or in other words backup peer for VPN. in 7.2(22) interim release this was fixed. u dont need to specify originate-only.
but 7.2(22) has some problems with remote-access VPN. u think of 8.0 which is good . and will help u in what u wanna achieve.
and in this type of VPN connectivity. diable the PFS.
hope this helps you.
regards
amit
08-07-2007 05:06 AM
So you are telling me(us) that the need to use originate-only on multiple peer crypto maps (backup peer) has been totally eliminated in 7.2(22) ? If so, then it would seem it's closer to old pix 6.3(5) code which worked(s) like a charm.
And if this is true, this would mean could run bi-directional in this scenario. That would be great !
08-07-2007 04:30 PM
hi,
yes my friend JOE. after 7.2(22) and 8.x works like 6.3(5) .
u can run bi-directional. no problems at all. i have tested that and working in my network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide