Routing backup VPN without failover

Unanswered Question
Jul 29th, 2009

I have two sites connected utilizing IPSEC with an ASA 5510 at each site. A T1 is terminated at both sites by the ASA. A site-to-site IPSEC vpn is established through the ASA. Traffic at the main site flows from the ASA 5510 to a Catalyst 4507.

We now have a secondary ASA 5510 at the primary site connected to broadband with a route map on the 4507. The route map pushes internet traffic out the secondary ASA and VPN traffic out the primary ASA.

I would like to establish a redundant VPN from the remote ASA 5510 to the local secondary ASA 5510. I'm having a problem conceptualizing routing between the Catalyst 4507 and the secondary ASA. With IPSEC vpns how can I make the Catalyst understand the secondary route to the remote site and use the secondary route when the primary T1 fails?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Edison Ortiz Wed, 07/29/2009 - 11:01

How about getting away from the PBR design and using simply routing.

On the 4507 have this routes:

ip route [remote vpn site] primary ASA

ip route secondary ASA

ip route [remote vpn site] secondary ASA 150

'150' represents a weighted static route so if the primary ASA isn't available it will use the secondary.

If you can configure these IP routes with IP SLA, so the route gets removed from the table if the SLA is down.




wdgolden1 Thu, 07/30/2009 - 07:52

I hadn't even thought about SLA, that will definitely help.

PBR is required since specific internal subnets access the internet using one ASA while other internal subnets access the internet using the second ASA.

I believe I would set up an identical VPN config on both ASA's at the main site. At the remote site would I simply use 2 peers in the current VPN config? How would failback work in that situation.

Primary ASA internet link fails so routes drop out of the 4507 forcing VPN traffic out the secondary ASA. Secondary ASA builds a VPN tunnel with the remote site. Once the primary internet connection comes back online would the primary ASA build a VPN tunnel with the remote site and would that force teardown of the secondary ASA VPN tunnel?

Edison Ortiz Fri, 07/31/2009 - 08:14

PBR is required for load-balancing or this is application specific?

PBR is just a band-aid for most networks and shouldn't be used for a final design. If you can configure your network with purely routing, traffic engineering can be done a lot better.

If you provide a diagram along with customer requirements we can come up with better ideas for this design and I'm sure PBR will not be one of them.





This Discussion