Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
473
Views
0
Helpful
7
Replies

VPN Stack between locations

networker99
Level 1
Level 1

‎09-16-2010 10:51 AM

We have site (A) and site (B), there is layer 2 connectivity between the two sites.  The primary ASA is located at site A and the standby ASA is located at site B.  Each site has its own internet connection using BGP.   If the primary ASA fails the secondary takes over, but if the L2 connectivity is lost both go active.

Is there anyway to use interface tracking on the primary ASA so that if it loses connectivity to an IP address at site B it shuts down its interface and goes into failed status, so when the secondary ASA goes active there is no IP address conflict.

Labels:
0 Helpful
7 Replies 7

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎09-16-2010 12:40 PM

Have not really done it that way, but I'm pretty sure it should work with the IP SLA feature on the ASA.

Have you tried it already?

Federico.

0 Helpful

networker99
Level 1
Level 1
In response to Federico Coto Fajardo

‎09-16-2010 12:42 PM

No, I am looking for advice and how to configure IPSLA to shut down an interface if an IP is unreachable

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to networker99

‎09-16-2010 12:57 PM

I believe you can have a static route to that IP that you want to monitor and track that route, so that the ASA considers that link down if the IP is unreachable.

Check this link for Monitoring a Static or Default Route:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_static.html#wp1119813

Federico.

0 Helpful

networker99
Level 1
Level 1
In response to Federico Coto Fajardo

‎09-16-2010 01:18 PM

thanks, but how can I force the ASA into a failed state if the tracked IP address is unreachable?

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to networker99

‎09-17-2010 01:00 AM

Hey,

Well the way SLA monitoring on ASA works, the purpose is to have a backup link in case the primary one fails using a feature called "Static route Tracking". This is given in the document that Frederico posted. It will not help you with your requirement exactly.

How is the failover interface between the 2 ASAs connected? It is recommended for them to be connected either directly or using a switch in between. We need to basically ensure that the 2 ASAs  never lose connectivity over the Failover interface. Please ensure that you do this. If you have this, you should not face the problem of both the ASAs going active.

Please do paste a diagram of how the failover interface is connected presently.

Hope this helps!!

Regards,

Prapanch

0 Helpful

networker99
Level 1
Level 1
In response to praprama

‎09-17-2010 05:26 AM

Well, actually there are three sites connected by 10GB Fiber, the ASA;s are in two different locations.  I just wanted to know if there is a multi-site failover solution that allows the VPN on the ASA to have failover without splitting the pairs?  and without configuring a secondary peer

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to networker99

‎09-17-2010 08:27 AM

Well, if you have active/standby failover configured on the ASAs with stateful failover, VPN should failover automatically whenever devices failover. That fits the requirement you have.

Details on what all are copied from the active to the standby ASA iwth stateful failover is given below:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#statef

If the 2 ASAs are in different locations then please ensure that we have a reliable connection between them on the "failover interface" and the "stateful failover link" as well for failover to function properly.

Regards,

Prapanch

0 Helpful
Customers Also Viewed These Support Documents