Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
838
Views
0
Helpful
6
Replies

Datacenter Dynamic VPN Failover with ASA's

francisco_1
Level 7
Level 7

‎06-24-2008 04:32 AM - edited ‎03-11-2019 06:03 AM

I have two datacenters connected via EIGRP dynamic routing. Branch offices terminating at the datacenters via lease lines.

I would like to backup the lease lines with ipsec vpn on either ASA's 5520 or higher or cisco 2800 routers. Using either EIGRP on the ASA's or static routing with higher Advertised distance, i would like to failover to the ipsec vpn tunnels automatically if any lease line is down. I am planning to have a pairs of ASA's between the datacenters and connect all branch offices to the ASA's via ipsec tunnel.

Has anyone done this before?

Will it be better to use cisco routers instead of ASA's with better through-put. does anyone have a design ?

Thanks

Labels:
0 Helpful
6 Replies 6

Collin Clark
VIP Alumni
VIP Alumni

‎06-24-2008 05:11 AM

I have not done it on that large of scale, but I have setup sites to failover with VPN. There is a good book on designing such scenarios.

http://www.amazon.com/IPSec-VPN-Design-Networking-Technology/dp/1587051117/ref=sr_1_5?ie=UTF8&s=books&qid=1214312952&sr=8-5

I prefer to use routers since they have more functionality, but setting up the ASA to do it wasn't that bad.

0 Helpful

francisco_1
Level 7
Level 7
In response to Collin Clark

‎06-24-2008 05:24 AM

Colin,

I have a copy already. might have to go through it.

any more ideas?

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to francisco_1

‎06-24-2008 05:26 AM

Great. It really isn't that hard :), I used EIGRP and floating static routes. Do you a specific question?

0 Helpful

francisco_1
Level 7
Level 7
In response to Collin Clark

‎06-25-2008 12:58 AM

Colin,

No routing question at this stage.

Thanks anyway.

0 Helpful

HYE WILSON
Level 1
Level 1
In response to Collin Clark

‎07-23-2008 04:49 PM

collin,

WOuld you mind posting a copy of the working configuration. I have a situation where I have an ASA5505 in the main site and the Cisco2801 at the remote site. The primary connection between them is P2P T1, but I want to use VPN over DSL as backup. Having a problem bringing up the VPN tunnel when the T1 is down. Any help will be appreciated. TIA. H. WIlson

0 Helpful

husycisco
Level 7
Level 7
In response to HYE WILSON

‎07-23-2008 05:44 PM

Hello Franco,

ASAs can not terminate a GRE tunnel, which is essential for building this structure with dynamic routing protocols.

I had a couple of ASA 5540s in core in one of the projects that I leaded, 500 simultaneous RA connections from branches replicating SQL Databases from all over the country, throughput has never been an issue. But forget about Active/Active failovering Site to site IPsec VPN tunnels. It is not supported. You can do Active/Passive.

Do branches have 2 different routers for terminating lease line and an internet connection? What kind of switches involved?

Regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card