Dual ISP Support Using Static Route Tracking + VPN

Unanswered Question
Aug 18th, 2010

I am following this configuration guide for dual ISP support on an ASA 5505 and I have a few questions( http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html#wp1057935 ).

1.) If the primary ISP fails, the default route gets removed and the alternate/backup route gets used.  When the primary ISP becomes available, does the primary route fail back or take over from the backup ISP?  There is no tracking on the backup route, at least not in the example below.

route backupisp 0.0.0.0 0.0.0.0 172.16.2.1 254
! The above route is a floating static route that is added to the
! routing table when the tracked route is removed.

2.) I have a VPN tunnel to another site.  Will I need to create a second VPN tunnel for the backup connection/route or can I just apply the original crypto map to the backupisp?

3.) What image/ADSM will be required to achieve this goal?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kathpric Wed, 08/18/2010 - 11:02

Regarding question 1, the primary route will take over when the primary link comes back up.  This is because the primary default route has an Admin Distance of 1 and the backup has an Admin Distance of 254.  So whenever the primary is up, it will use this one.

I'll let someone else comment on question 2 and 3

-Kathy

Manish Naik Fri, 08/20/2010 - 10:47

For question 2: In Theory you can use the same crypto Map on the other interface. Routing will be checked first and then crypto map so this should be ok

Also on the other side you will have to add another peer statement pointing to the secondary interface here.

For question 3: Any ASA version 8.x or later and ASDM 6.x or later should work fine. The newer the better. Please check CCO software download section to get the latest one.

Manish

Actions

This Discussion