GRE tunnel load balance or failover between internet VPN and MPLS

Unanswered Question
Feb 25th, 2010

Is it feasible to configure GRE on ASA 5520 firewall to load balance or failover between internet VPN tunnel and MPLS ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Haris P Thu, 02/25/2010 - 22:38

I think GRE is not supported in ASA . But you can use router to support failover between internet VPN and MPLS

Regards,

Haris

kokhong.chew Thu, 02/25/2010 - 22:44

but failover can be configured since the vpn and mpls is on separate router ? ? ?

Haris P Thu, 02/25/2010 - 23:00

Yes ..Failover can also be configured if you are using seperate router for internet VPN and mpls . But normally in this scenario you have to use some routing protocols or route tracking (ie IP SLA) to acheive the task

Please post your scenario diagram and config.

Regards

haris

kokhong.chew Thu, 02/25/2010 - 23:08

yet to configure . . . the routers connected to the firewall asa 5520 . . .  i believe there is this feature route tracking or SLA in firewall but it can't load balance

MARK BAKER Fri, 02/26/2010 - 06:13

I am getting ready to set up this scenario. I have OSPF running on the remote MPLS routers and the HQ router. OSPF is also configured on the inside interface our HQ ASA5520 (also internet VPN Termination).

The remote router will have a static default route pointing to the local ASA5505 (VPN internet connected). The default route is tracking an SLA (Pinging the HQ ASA5520 across internet). The remote router is also receiving a default route through OSPF with a higher weight than the static SLA tracked default route. Internet traffic will go out the local internet connection as primary and will failover to the MPLS network through HQ to the internet as secondary.

Our HQ data center IP subnet is advertised through MPLS and learned at the remote router. If this route goes away because of MPLS circuit outage or some other reason, traffic from the remote site to HQ data center will go over the internet based VPN between the remote ASA5505 and the HQ ASA5520.

The reason OSPF is enabled on the inside interface of the HQ ASA5520 is so that when a remote site's internet connection is down and internet bound traffic is sent through the MPLS to HQ (The remote router uses the OSPF learned default route when internet connection is down), the HQ ASA5520 knows how to route the internet return traffic back to the remote site through the MPLS network. Also, the learned OSPF route will be removed if the remote site is not reachable through the MPLS network so HQ data center traffic will use the HQ ASA5520 default route through the internet over the VPN tunnel between HQ and the remote site.

I have tested this in a lab and it worked as expected with quick convergence times. I will be setting this up in production within a couple of weeks.

jawid.dadarkar Tue, 12/07/2010 - 03:48

Hi Mark,

I know this is a long (LONG!) time ago, but do you by any chance still have this in production? Trying to set this up and would love to get some sample configs off you.

Thanks.

Actions

This Discussion