Dual home VPN tunnel question

Unanswered Question
May 12th, 2010
User Badges:

For disaster recovery purposes, we have two ASA's.  One is at our main corporate office, the other is at an offsite DR facility.  I have worked up a vpn configuration for the remote offices that should allow them to automatically failover to the DR facility if corporate goes offline for some reason.  My concern is with the ASA itself.  We have OSPF setup on each ASA that advertises the remote office subnets that connect to it.  Even if that office is not connected the ASA still advertises that it can route that subnet. 

Is there a way that we can only have the ASA advertise that it can route a subnet if a particular tunnel is up or do we need to use a manual procedure to fail over the remote endpoints to the DR facility ?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gatlin007 Sun, 05/30/2010 - 08:29
User Badges:
  • Silver, 250 points or more

The ASA is a good firewall and IPSEC tunnel endpoint. 

For dual homed routing solutions a router with the firewall feature set is a better fit.  This gives the network advanced routing features, IPSEC and stateful inspection all on one box.

Christopher Gatlin


This Discussion