Redundant L2L VPN Tunnel between ASA and 2 IOS Routers ?

Unanswered Question
Jun 29th, 2010

Hello,
we have some ASA and PIX devices connected to an IOS Router in our main datacenter using IPSec L2L tunnels.

Is it possible to create a "backup tunnel" between such an PIX/ASA and an other IOS Router in our backup datacenter ?

We would like the traffic to use the main tunnel if it is up, but to automatically switch to the "backup tunnel" in case the primary one fails. Main and backup IOS Router are located in the same LAN and are talking OSPF. I know it is possible to add multiple peers to a crypto map on the ASA, but I don't know how to route this on the datacenter routers.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 06/29/2010 - 14:52

Hi,

You can have VPN redundancy between the ASA and two IOS routers.

The ASA can have two peers under the same crypto map and both routers should have a site-to-site with the ASA.

By means of routing, you make one tunnel to be the primary one and the backup to take place if it fails.

Please let us know what questions do you have.

Federico.

Fresenius-Netcare Wed, 06/30/2010 - 00:00

Hi Federico,

thanks for your reply. I am still not sure about the routing.

On the ASA I will have a static route pointing to the ouside interface, won't I ?
How does the ASA decide to use the primary peer if it is up, but to use the secondary in the other case ?

Can I trigger the routes on the routers based on the status of the IPSec tunnel ?
How will the backup router know that the tunnel on the primary router fails
(only that specific tunnel or the primary router's internet line, but not the whole primary router) ?

Thank you in advance for your help.

Actions

This Discussion