ASA sitting behind two routers configured for VRRP
I have a site currently setup with a cisco router provided by an ISP with an ASA sat behind the router configured for multiple site to site VPN's.
I am looking at adding further redundancy into this site by installing a secondary internet line, going into a secondary router and then VRRP configured in-between the routers.
My question is will this effect the ASA in anyway, will the Site to Site VPN's drop out at all, or will there be any confusion for the ASA.
I cant think of any reason why this would effect the ASA even in the event of the primary router going down and a failover happening. However I thought I would try and run this past some people who are better experienced with ASA's
For your central ASA that won't be a major problem. For your spoke it could be a problem. The spoke will have two VPN peers configured, one on each ISP. But through VRRP, only one of these peers will actually work. That is because traffic sent through the secondary ISP will be answered by the ASA and sent to the active router on the primary ISP. The NAT on that device will change the address to the first peer-adress and the traffic gets invalid.
A perhaps better solution could be to migrate the VPNs to the routers. Then you won't have the mentioned problem.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :