ASA redundant VPN tunnel configuration (2 remote sites)

Unanswered Question
Sep 21st, 2009

Hey Pros!

We have an ASA here with two ISP links running directly to it. The ASA provides Lan-to-LAN VPN tunnel services between us and our partner company. The partner company has two separate sites, which we will call Site A and Site B.

Our ASA's primary ISP interface has a VPN tunnel connected to Site A. The secondary ISP interface has a VPN tunnel connected to Site B. Therefore, considering our primary ISP is up, and Site A's ISP is up, then all traffic will flow over this tunnel as we have a static route that says all traffic to remote site, go out Primary ISP interface. We have another static route with a higher cost for the secondary ISP interface.

What we need to incorporate is some form of redundancy where if the tunnel goes down, we start to route all traffic over the Site B tunnel. The trouble is, I know we can track static routes and things for IP connectivity, but can we track tunnel status or something else?

My concern is if IP connectivity between Site A is fine but for whatever reason, the tunnel goes down, the ASA has no way of knowing this and will just keep trying to send traffic this way.

I hope this makes sense and I look forward to hearing some recommendations! Thanks in advance,

Graham

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bapatsubodh Mon, 09/21/2009 - 11:52

Hi Graham Felming,

My understanding is

Your_office_LAN to Site A LAN tunnel is running on ISP 1.

Your_office_LAN to Site B LAN tunnel is running on ISP 2.

I am really not clear about how will your applications know that Subnet_A is not available so start using Subnet_B. But keeping that thing apart here is what I can suggest.

Please see the attached link, here example shows conditional NATing using rtr reachability and track for ISP failure.

In my opinion you can attach the crypto map to tow interfaces and then route the traffic to primary and then to second.

URL is :

https://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Please come back how you do it finally. I am very much interseted in this setup.

Here is what we did, very simple in our case we created GRE-IPSEC tunnels between two sites and ran routing protocol. Routing protocol takes care of redundancy, after all those are designed for this !!

Hope this helps. Rate if possibele.

Regards

Subodh

Actions

This Discussion