03-09-2010 11:54 AM
Is it possible to have two VPN endpoints configured in two seperate sites. One as a primary and one as a DR site. All VPN peers should connect to the primary site, however if it is unavailble the connect to the DR VPN endpoint?
03-09-2010 12:22 PM
Hi,
It is possible to have two VPN endpoints in two different sites as long as both sites can reach the same internal network and resources.
For example, if you have Site A and Site B, most likely both sites don't share the same internal network. This is a problem if connecting via VPN to the first site and fails to the second site. (This problem does not happen if both VPN endpoints are on the same location).
It is not impossible to have the failover for the two VPN endpoints on different sites, but you have to be very cautios with the routing (it all depends on the topology).
Let me know if you have any questions.
Federico.
03-09-2010 12:45 PM
Thanks for your reply.. both endpoints do share the same internal LAN.. How would you configure this on an ASA?
03-09-2010 01:09 PM
It depends if the configuration is for Site-to-Site VPN or Remote Access...
Either way, the client or peer needs to point to both IPs of the VPN headend (one having priority), and both VPN headend devices should share the same crypto configuration.
Let me know the details so that I can help you further.
Federico.
03-09-2010 01:16 PM
How do you prioritize one headend over another?
03-09-2010 01:26 PM
For example if yo u have a L2L, then under the crypto map you specify on the peer:
cry map NAME 60 set peer 1.1.1.1 2.2.2.2
Assuming the first VPN headend is 1.1.1.1 and the second is 2.2.2.2
If it's a VPN client, then the VPN software under the backup servers command, you can enable the backup IPs in order of priority.
Federico.
03-09-2010 01:33 PM
Perfect thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: