Site to Site VPN Redundancy using ASA's

Unanswered Question
Sep 8th, 2009
User Badges:
  • Bronze, 100 points or more

What is the best whay to setup a redundant site to site VPN.

We currently have 2 ASA5510's (8.2) at the HQ and several ASA5505's at remote sites. We would like to have the remote ASA's automatically switch over to the second ASA at the HQ when the primary path fails.

Dual peer adresses on the remote sites with reverse route injection at the HQ and a routing protocol at HQ doesn't work because the already RR exists when we setup the VPN, when it's not even connected.

Please advise....



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
etamminga Mon, 09/14/2009 - 23:27
User Badges:
  • Bronze, 100 points or more

Thanks for the reply, but the remote site is not the problem! It's the HQ.

Because reverse route injection always injects a route (dispite the lack of a valid SA) the core routers do not know where to send the traffic!

Does anybody know how to setup the routing at HQ. Bear in mind that reverse route injection doesn't do what I'd expect it to do.



OK - reverse route injection only populates a routing table with an entry with a valid IPSEC tunnel....supposedly.

I have seen and continue to see ASA ver 8.0 - 8.x vers of IOS reverse route injection does not perform 100%, and advise against it's use. Great function not 100% bug free yet.

The best way to over come this issue - is run a dynamic routing protocol, in a GRE tunnel over a IPSEC VPN.

or you just enable the ASA to be in a failover pair, and have the core routers point to the active IP address of the inside of the ASA's.

etamminga Tue, 09/15/2009 - 00:46
User Badges:
  • Bronze, 100 points or more

RRI does seem to work as expected on dynamic tunnels (EzVPN) but fails on site-to-site.

Using GRE tunnels rules out the ASA's and requires routers (IOS).

Using failover ASA's will not work because we're using two different ISP's on both ASA's, so ... bye bye ASA's.




This Discussion