04-06-2010 12:22 AM - edited 03-04-2019 08:02 AM
Hi,
We are thinking on how we can make our IPSEC tunnels failover automatically. We have a simple design where the IPSEC endpoint is terminated on a PIX/ASA firewall then the other end is our client. We want to have a mechanism that whenever our client peer goes down, the traffic will be rerouted to one of our centers which has the backup tunnel configuration. Usually we use static routes to force the traffic to be routed to the other center but we want to do it automatically. Do you have any idea how? Thanks.
John
04-06-2010 12:45 AM
What's the point? If "client goes down", that means they lost internet connectivity, and there is no solution unless another internet circuit is available.
04-06-2010 12:55 AM
I assume what you mean is if the vpn client is unable to reach the primary IPSec peer, which is PIX/ASA at the main site, you would like the vpn client to automatically try to connect to your other centre (assuming that VPN Client IPSec has been configured at your other centre).
If the above assumption is correct, on the vpn client, you can enable the backup server list, and you can add the other centre as the peer. However, you would need to make sure that the group name and pre-shared key is the same as the main site.
Hope that helps.
04-06-2010 01:19 AM
Oh thanks for the reply but I think I didn't make myself clear.
Our setup is that we access our clients' servers using point-to-point IPSEC tunnel. There are times that the ISP loses connectivity to the client's network for unknown reason. It could be a link failure or too much congestion. If that happens, our ASA/PIX firewall will lose connectivity to its peer. So what we do in our core switches is to point the traffic to another center/office using our internal links where the backup IPSEC tunnel configuration is configured. The backup ISP is a different provider so there is a chance that the peer can be accessible from the other one. The backup tunnel is also being used whenver our primary internet is down.
04-06-2010 01:29 AM
You can configure 2 "set peer" statements on the same crypto map to that client, and it will connect to the first peer on the list, and if the first peer is not accessible, it will automatically try to connect to the second peer configured.
Example:
crypto map mymap 10 match address
crypto map mymap 10 set peer
crypto map mymap 10 transform-set
Also need to remember to configure pre-shared-key for the second peer.
04-06-2010 02:15 AM
Yes that is correct if I need to configure one ASA/PIX with two different peers. But the other center where the backup internet is located also has a PIX/ASA pointing to the same peer.
So technically, we are the one redundant, not the client. We just connect to one end-point and they can connect to us through 2 end-points on different ISPs.
04-06-2010 02:18 AM
Would be better to have the ISP to fix the unacceptable loss of connectivity toward the internet ?
04-06-2010 02:40 AM
LOL. That is almost close to impossible.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: