Redundant Site to Site VPN Pix/ASA

Answered Question
Feb 1st, 2008

Hi All,

I have a site which has two peer endpoints and wants one of them to be redundant. I know it's possible to configure on the crypto map more than one peer.

Is there a configuration feature like dpd available on the pix/asa? The version running on the pix is 7.2.3.

TIA

Jack

I have this problem too.
0 votes
Correct Answer by acomiskey about 8 years 10 months ago

See here under usage guidelines...

http://cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2066090

connection type needs to be originate-only as well, which means the far end must be answer-only.

I also don't think you need to create separate tunnel groups, but I could be wrong.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jackwikinski Fri, 02/01/2008 - 08:50

Hi,

Thanks for your answer.

In essence my config should look someting like this:

crypto map match address 101

crypto map pix set peer peer one

crypto map pix set peer peer two

crypto map set transform-set myset

tunnel-group peer 1 type ipsec-l2l

tunnel-group peer 1 ipsec-attributes

isakmp keepalive 10 2

tunnel-group peer 2 type ipsec-l2l

tunnel-group peer 2 type ipsec-attributes

isakmp keepalive 10 2

Thanks.

Jack.

Actions

This Discussion