×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Failover VPNs ASA -> 3rd Party Device

Unanswered Question
Jul 9th, 2014
User Badges:

I have an interesting scenario and can't work out how to solve my problem.

We have multiple sites.  Each site has two P2P links back to different data centres, in turn the data centres are connected via P2P links.  OSPF runs across the network to provide redundant routing so there is no single point of failure.  Two of the data centres have Internet breakout via Fortigate firewalls.  These participate in OSPF and advertise weighted default routes to the rest of the network.  This all works well.

The problem I have relates to one site which connects in via an IPSEC tunnel (from an ASA to the Fortigate in the Primary DC).  I need to set things up so that if the firewall in the Primary DC goes down for whatever reason, the ASA at the remote site initiates a VPN connection to the firewall in the Secondary DC.

From what I have found online if we had ASAs at both ends I could make use of the Backup Lan-to-Lan feature.  If we had IOS routers (or at least an IOS router at the remote site rather than an ASA) I could use the IPsec Preferred Peer option.

Does anyone know how I can achieve what I need with the hardware currently in place?  If I need to replace hardware then swapping out the ASA on the remote site for a Fortigate will likely be the easiest and most cost effective route to take.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Sun, 07/13/2014 - 00:21
User Badges:
  • Cisco Employee,

Justin, 

Yeah ASA is limited in terms of options compared to IOS.

However what you can do is to have ASA in "respond only" mode for a crypto map entry (with IP addresses of both gateways). 

In this scenario it would be up to the DC side to initiate the tunnels to ASAs (and pick which one should initiate). 

May or may not work in your setup. 

Also worth mentioning is that we recently added support for this:

https://tools.cisco.com/bugsearch/bug/CSCui57181/?reffering_site=dumpcr

Again may or may not work for you. 

M.

 

justinfielding Sun, 07/13/2014 - 01:43
User Badges:

Thanks for the reply Marcin.  Both of your suggestions are good ones, however in this scenario both DC firewalls are alive at the same time, so there needs to be some kind of logic on the device at the remote site to say that it should only use tunnel B if tunnel A is down.

Thinking on this, is it possible to run an 'interface' or 'routed' mode IPSEC VPN with the ASA?  I know this is possible with the Fortigates and think it's the default mode for Junipers.  If that were possible we might be able to have both tunnels up and have OSPF run over them which would be another way to solve this problem.

Marcin Latosiewicz Sun, 07/13/2014 - 02:37
User Badges:
  • Cisco Employee,

No routed VPN support on ASA, we've been fighting for it for ages, not that it helps you much.

justinfielding Mon, 07/14/2014 - 16:59
User Badges:

Just one outside interface.

The ASA's lack of functionality is very disappointing, it's not like they are cheap and cheerful consumer units.  It looks like I'm going to have to propose swapping it out for a Fortigate.

I find it really odd that in switching and routing Cisco are great but for firewalls so behind, particularly the ASAs.  It seems like an ISR actually has better capabilities.

 

 

Marcin Latosiewicz Tue, 07/15/2014 - 01:34
User Badges:
  • Cisco Employee,

Justin, 

ISR/ASR are indeed more feature rich in terms of IPsec. ASA would have more/better remote access capabilities. 

Bring it up with your SE if you have the time, they don't neccessary like when Cisco stuff if being swapped out, plus they can sit with you and look at the overall design and suggest what can be done. 

That last is very hard to do via forums :-)

M.

Actions

This Discussion