Haris P Thu, 02/25/2010 - 22:38
User Badges:
  • Bronze, 100 points or more

I think GRE is not supported in ASA . But you can use router to support failover between internet VPN and MPLS



kokhong.chew Thu, 02/25/2010 - 22:44
User Badges:

but failover can be configured since the vpn and mpls is on separate router ? ? ?

Haris P Thu, 02/25/2010 - 23:00
User Badges:
  • Bronze, 100 points or more

Yes ..Failover can also be configured if you are using seperate router for internet VPN and mpls . But normally in this scenario you have to use some routing protocols or route tracking (ie IP SLA) to acheive the task

Please post your scenario diagram and config.



kokhong.chew Thu, 02/25/2010 - 23:08
User Badges:

yet to configure . . . the routers connected to the firewall asa 5520 . . .  i believe there is this feature route tracking or SLA in firewall but it can't load balance

MARK BAKER Fri, 02/26/2010 - 06:13
User Badges:
  • Bronze, 100 points or more

I am getting ready to set up this scenario. I have OSPF running on the remote MPLS routers and the HQ router. OSPF is also configured on the inside interface our HQ ASA5520 (also internet VPN Termination).

The remote router will have a static default route pointing to the local ASA5505 (VPN internet connected). The default route is tracking an SLA (Pinging the HQ ASA5520 across internet). The remote router is also receiving a default route through OSPF with a higher weight than the static SLA tracked default route. Internet traffic will go out the local internet connection as primary and will failover to the MPLS network through HQ to the internet as secondary.

Our HQ data center IP subnet is advertised through MPLS and learned at the remote router. If this route goes away because of MPLS circuit outage or some other reason, traffic from the remote site to HQ data center will go over the internet based VPN between the remote ASA5505 and the HQ ASA5520.

The reason OSPF is enabled on the inside interface of the HQ ASA5520 is so that when a remote site's internet connection is down and internet bound traffic is sent through the MPLS to HQ (The remote router uses the OSPF learned default route when internet connection is down), the HQ ASA5520 knows how to route the internet return traffic back to the remote site through the MPLS network. Also, the learned OSPF route will be removed if the remote site is not reachable through the MPLS network so HQ data center traffic will use the HQ ASA5520 default route through the internet over the VPN tunnel between HQ and the remote site.

I have tested this in a lab and it worked as expected with quick convergence times. I will be setting this up in production within a couple of weeks.

MARK BAKER Thu, 03/18/2010 - 11:11
User Badges:
  • Bronze, 100 points or more

I have set this up in production and it is working great.

jawid.dadarkar Tue, 12/07/2010 - 03:48
User Badges:

Hi Mark,

I know this is a long (LONG!) time ago, but do you by any chance still have this in production? Trying to set this up and would love to get some sample configs off you.



This Discussion