VPN failover and balancing

Unanswered Question
Jul 2nd, 2012
User Badges:

Site A and Site B, in each site an ASA; the sites are connected through a VPN configured on the ASAs

I need to ensure high-reliability in connection.

I would add a second line, with a different provider, and configur a second VPN on the FireWall.

No problem to add the second "outside", with its "public" address (same "phisical with 2 sub-interfaces).

But the ASA accepts two VPN between the same Firewall?

Same local Network ad same remote Network ...

And how will the ASA share the traffic on the two VPN?

Can I give a kid of "priority"?

A different / better way?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Mon, 07/02/2012 - 05:43
User Badges:
  • Cisco Employee,

No, you can't configure 2 VPN tunnel with the same local network and remote network, that is not a supported configuration.

You can however configure 2 IP Addresses within the "set peer" command, one IP for the first provider and the second IP for the second provider, and remember to configure "tunnel-group" for the second provider as well with the pre-shared key.

battanc Mon, 07/02/2012 - 05:59
User Badges:

OK, suppose in Site-A I configure 2 different remote peer (only by CLI, right?)

What about the configuratrion in Site-B, how can I configure 2 local peer (on different interfaces) with the same remote peer


Jennifer Halim Mon, 07/02/2012 - 06:03
User Badges:
  • Cisco Employee,

On site-B, you can terminate the VPN on 2 interfaces, and configure SLA monitor to monitor the 1st ISP, and when ISP 1 is down, you can failover to the second interface with ISP 2.

battanc Mon, 07/02/2012 - 06:16
User Badges:

But doing so, only Site-B has high-availability (using two interfaces, based on different provider), Site-A has a single-point-of-failure, using only ONE interfaces (only one provider).

Did I understand right?

battanc Mon, 07/02/2012 - 08:49
User Badges:

Do you have some example of configuration?


This Discussion