Disaster Recovery Site VPN Tunnels

Unanswered Question
Dec 17th, 2009
User Badges:

I have 150+ vendors connected to our primary data center via site-to-site  IPSEC VPN tunnels on ASA's. I want to also connect these vendors to my D/R data center and have these back-up tunnels (at each vendor location) become active whenever a primary tunnel fails. I need to view this solution from the vendor's ASA's since each vendor manages the devices on both ends of the tunnels (these are banks, etc. partners that don't allow us to manage our hardware on their network).

So, I'm looking for a solution that monitors the primary ISP- tunnel(s) on (physical interface-1) to my primary data center, then, upon failure of the primary ISP tunnel(s), the back-up ISP tunnel(s) will become active between that vendor and my D/R data center's ASA. The diagram below depicts my desired solution.

Cisco ASA DR VPN Solution.vsd

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Rick Morris Thu, 12/17/2009 - 13:14
User Badges:
  • Silver, 250 points or more

Are you wanting the DR site to activate automaticly with no user intervention if the primary goes down?  What type of failure are you expecting to have the tunnel swing?

Off the top of my head I am thinking this can be done via routing via BGP.  If the primary link goes down the IP being announced from DR will become preferred and traffic will flow that direction.  It will require authentication I am sure, I have not set that up so I am not sure how that will work exactly.  However, technically it should work.

barry-peters Thu, 12/17/2009 - 13:41
User Badges:

I need to look at this from the vendors' perspective. Remember, these vendors individually manage the ASA's at their site. I need their ASA to do the DPD and switch-over to the alternate interface that connects to my D/R data center. So, if using BGP is a better solution thatn something like a track-IP / VPN-Monitor function, then that just might be simpler. Especially since the back-up tunnel points to the D/R's data center servers IP's. That will stop the traffic from going through the D/R dc and traversing the DC to DC link and going back towards the primary DC's servers.

OK, I'l llook at BGP.

Let me know if you have any additional comments based upon the above.

Rick Morris Thu, 12/17/2009 - 13:54
User Badges:
  • Silver, 250 points or more

I understand what you are saying.  I have not set-up track IP or VPN monitor, but it does sound like routing can help with this situation.  As mentioned, BGP will allow for multiple routing announcements with weights.  If the primary announcement is pulled then the secondary announcement will then be preferred.


This Discussion

Related Content