VPN "failover" with one ASA

Unanswered Question

We have a site to site VPN, with split tunneling, between a branch office and headquarter. The VPN is used to extend Active Directory (AD) infrastructure to the branch office. The split tunneling ensures that only AD and DNS traffic from the branch office goes through the VPN. All other traffic, such as web, do not go through the VPN. The DHCP pool on the branch office router is configured as follows:

ip dhcp pool client

dns-server AD_DNS1, AD_DNS2, ISP_DNS1, ISP_DNS2

When the VPN is up, client computers at the branch office would use the Active Directory DNS servers. When the VPN goes down, client computers would use ISP's DNS. From the users' point of view, everything is fine. This all happens automatically.

Let's say we do not want to use the split tunneling anymore. Is there a way to configure the branch office router such that all traffic would flow through the VPN when the VPN is up, and all traffic would go through ISP when VPN is down?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vmoopeung Tue, 04/14/2009 - 06:32

I think you want to configure your ISP link as back up link and VPN as the primary one. The below URL explains with an example of static route tracking allows the security appliance to use an inexpensive connection to a secondary Internet service provider (ISP) in the event that the primary leased line becomes unavailable.

In order to achieve this redundancy, the security appliance associates a static route with a monitoring target that you define. The service level agreement (SLA) operation monitors the target with periodic Internet Control Message Protocol (ICMP) echo requests. If an echo reply is not received, the object is considered down, and the associated route is removed from the routing table. A previously configured backup route is used in place of the route that is removed. While the backup route is in use, the SLA monitor operation continues to try to reach the monitoring target. Once the target is available again, the first route is replaced in the routing table, and the backup route is removed.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Actions

This Discussion