ASA - backup links AND static site tunnels

Unanswered Question

I understand the fundamentals of redundant backup links (see example in However, I need some advice when the ASA device particpates in static IPSEC tunnels. If I configure redundancy as the link above in the near ASA and have a static tunnel defined with a PIX at the far end, the far end won't be able to reach the near end during a backup link switchover. How does one handle that? Can the tunnels be defined twice with the same interesting traffic, or is there something fundamental I'm missing? Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Thu, 08/09/2007 - 07:23

I believe the remote pix would have multiple peer addresses.

crypto map newmap 10 set peer x.x.x.1

crypto map newmap 10 set peer x.x.x.2

The local asa would have it's connection type set to answer-only.

crypto map outside_map 10 set connection-type answer-only

And both devices would be running dead peer detection, isakmp keepalives.

isakmp keepalive 10

Thanks, I was unaware you could have two peers at the same time. If I had fully redundant paths into the local PIX that are both available, could I do that without using redundant links? I'm afraid I'm quite ignorant with this.

My remote site is very well connected, PIX devices in failover with BGP routing against two backbones. The local site is T1 + cheap DSL that I need to keep connected without the remote site's level of sophistication, expense and complexity.

acomiskey Thu, 08/09/2007 - 08:12

From the command line guide for pix 6.3...

"For ipsec-isakmp crypto map entries, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the PIX Firewall received either traffic or a negotiation request from for a given data flow. If the attempt fails with the first peer, IKE tries the next peer on the crypto map list."

Here's where I get confused looking into this. On my near end I've got 2 different ISPs, and my default gateway is set to be just one of those. On the far end I've got one IP address on my PIX because it's got redundancy to the internet on it without a need for multiple crypto map entries.

So, if I do something like this on the far end:

!--- Traffic to ISP 1:

crypto map redundant 10 ipsec-isakmp

crypto map redundant 10 set peer

!--- Traffic to ISP 2:

crypto map redundant 20 ipsec-isakmp

crypto map redundant 20 set peer


crypto map redundant interface outside


(I'm omitting lots of details about access lists and transform-sets)

On the near end what do I do? I need to define crypto maps for the same traffic but apply them to different interfaces. What is going to happen? This isn't redundancy, as the crypto map isn't applied to the same interface, as it's set up on the far end.

How would the near end know to route out ISP #2 if my default gateway disappears when ISP #1 goes down?

acomiskey Mon, 08/13/2007 - 11:53

"How would the near end know to route out ISP #2 if my default gateway disappears when ISP #1 goes down?"

-Static routing backup with object tracking would accomplish this in pix/asa 7, but it's not available in pix 6.

Can one create two IPSEC tunnels then using 2 different interfaces?

On the far PIX I have a spare interface, and can give it a unique external IP and apply a crypto map to it.

On the near ASA, I can define a static route for just that far PIX IP to go through my second ISP, then apply a crypto map to it as well.

My question is in this scenario, can the crypto map be applied to different interfaces with the same ACL to define what traffic is protected? It's different from the multiple peer setting when applied to the same interface. Could this work?

Thanks again for my incessant questions. :-)


This Discussion