Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
443
Views
0
Helpful
1
Replies

ASA site2site VPN headend redundancy

oldcreek12
Level 1
Level 1

‎08-30-2009 06:25 PM

Hi, here is my situation, we have two ISPs in HQ, ASA has outside IP from ISP1, we have a WAN load-balancer sitting in front of ASA, when ISP1 goes away, the WAN load-balancer will NAT ISP1 IP to ISP2 IP.

Now I want to implement site2site VPN redundancy for remote offices, I am not sure the following configuration on remote ASA would work:

crypto map mymap 1 match address traffic_to-HQ

crypto map mymap 1 set peer ISP1_IP

crypto map mymap 2 match address traafic_to_HQ

cryto map mymap 2 set peer ISP2_IP

tunnel-group ISP1_IP

<tunnel-group configruation>

tunnel-group ISP2_IP

<tuneel-group configuration, exactly the same as above>

ISP1_IP and ISP2_IP are essentially the same IP (HQ-ASA's outside IP) after WAN load-balancer's static NAT, I am wondering what is effect of the above configuration, would remote ASA establish two ISAKMP/IPsec SAs to HQ-ASA? or remote will establish only the first one? if the latter, is it because crypto map seq 1's "match address" ACL is the same as seq 1?

Labels:
0 Helpful
1 Reply 1

Todd Pula
Level 7
Level 7

‎08-31-2009 07:11 AM

From the spokes perspective, you will set up one crypto map entry to point to a primary and secondary peer IP. For example,

crypto map mymap 1 match address traffic_to-HQ

crypto map mymap 1 set peer ISP1_IP ISP2_IP

crypto map mymap 1 set transform-set TSET

tunnel-group ISP1_IP

tunnel-group ISP2_IP

0 Helpful
Customers Also Viewed These Support Documents