Possible failover scenarios for VPNs over primary/secondary peers

Unanswered Question
Sep 15th, 2010


We have a few clients that we establish VPNs with. The ones that use Juniper routers for VPNs want to establish a failover configuration where our VPN would dynamically route over a VPN to their secondary peer address. Their secondary peer address is on their own backup internet circuit.

They have no problem with making the failover dynamic on their side.

We have to manually change a static route to point to their secondary peer address as the gateway for their internal network before the traffic takes the secondary path. Since this client is on the other side of the world, this involves waking the oncall engineer in the middle of the night which is inherently a kludgey process.

Here's our config. I'm open to suggestions. These IP's are fictitious of course and we proxy route the public IP thru the internet firewall to enable the public loopback. Inside and outside VPN router interfaces are privately addressed.

The routes we have to change to route to their secondary peer would be these statics:

no ip route a.a.a.a

ip route b.b.b.b

10.1.x.0 and 10.1.y.0 are our local networks.


crypto map CryptoMap local-address Loopback0

crypto map CryptoMap 180 ipsec-isakmp

description VPN to client - both peers required!!!

set peer a.a.a.a

set peer b.b.b.b

set security-association lifetime kilobytes 4096

set transform-set Transform

set pfs group2

match address Client-networks

interface Loopback0

ip address

crypto map CryptoMap

ip route a.a.a.a

ip route a.a.a.a [firewall]

ip route b.b.b.b [firewall]

ip access-list extended Client-networks

permit ip 10.1.x.0

permit ip 10.1.y.0



Carl King

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Yudong Wu Wed, 09/15/2010 - 09:26

You can use SLA feature on ASA.


Here is the example from the above link.

The following example uses an SLA operation to install a default route  to the gateway on the outside interface. The SLA operation  monitors the availability of that gateway.If the SLA operation fails,  then the backup route on the dmz interface is used.

hostname(config)# sla monitor 123
hostname(config-sla-monitor)# type echo protocol ipIcmpEcho interface outside 
hostname(config-sla-monitor-echo)# timeout 1000
hostname(config-sla-monitor-echo)# frequency 3
hostname(config)# sla monitor schedule 123 life forever start-time now
hostname(config)# track 1 rtr 123 reachability
hostname(config)# route outside track 1
hostname(config)# route dmz 254

Carl King Wed, 09/15/2010 - 11:13

I like that feature Yudong. Wish we had an ASA.

I've got a pair of Cisco 2851's.

Carl King Wed, 09/15/2010 - 11:46

Ah. Good. Thanks for pointing it out. I found it now.

VPN02(config)#ip sla monitor ?
  <1-2147483647>          Entry Number
  apm                     IP SLA Monitor APM Configuration
  group                   Group configuration or Group scheduling
  key-chain               Use MD5 authentication for IP SLA Monitor control
  logging                 Enable logging
  low-memory              Configure low water memory mark
  reaction-configuration  IP SLA Monitor Reaction Configuration
  reaction-trigger        IP SLA Monitor trigger assignment
  reset                   IP SLA Monitor Reset
  responder               Enable IP SLA Monitor Responder
  restart                 Restart an active entry
  schedule                IP SLA Monitor Entry Scheduling
  slm                     Service Level Management

Carl King Wed, 09/15/2010 - 11:48

Yes, I am just not familiar with the ASA and assumed the feature was platform specific.

I see now that it works on IOS.

I think I can make this work for this client.




This Discussion

Related Content