VPN failover and balancing

Unanswered Question
Jul 2nd, 2012

Site A and Site B, in each site an ASA; the sites are connected through a VPN configured on the ASAs

I need to ensure high-reliability in connection.

I would add a second line, with a different provider, and configur a second VPN on the FireWall.

No problem to add the second "outside", with its "public" address (same "phisical with 2 sub-interfaces).

But the ASA accepts two VPN between the same Firewall?

Same local Network ad same remote Network ...

And how will the ASA share the traffic on the two VPN?

Can I give a kid of "priority"?

A different / better way?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Mon, 07/02/2012 - 05:43

No, you can't configure 2 VPN tunnel with the same local network and remote network, that is not a supported configuration.

You can however configure 2 IP Addresses within the "set peer" command, one IP for the first provider and the second IP for the second provider, and remember to configure "tunnel-group" for the second provider as well with the pre-shared key.

battanc Mon, 07/02/2012 - 05:59

OK, suppose in Site-A I configure 2 different remote peer (only by CLI, right?)

What about the configuratrion in Site-B, how can I configure 2 local peer (on different interfaces) with the same remote peer


Jennifer Halim Mon, 07/02/2012 - 06:03

On site-B, you can terminate the VPN on 2 interfaces, and configure SLA monitor to monitor the 1st ISP, and when ISP 1 is down, you can failover to the second interface with ISP 2.

battanc Mon, 07/02/2012 - 06:16

But doing so, only Site-B has high-availability (using two interfaces, based on different provider), Site-A has a single-point-of-failure, using only ONE interfaces (only one provider).

Did I understand right?


This Discussion

Related Content