05-09-2010 04:16 AM - edited 03-11-2019 10:42 AM
Hello Experts,
We have two ISP links and second one is using for back-up purpose in case first link goes down then all internet traffic moves over the second link and while primary link come back functional then the traffic moves back as previously.
The STS Tunnel is configured and around 10 production sites are connected with first ISP link and when primary link works then only tunnel traffic can be move and remote sites are accessible but in-case the primary link goes down then the internet works fine as firewall replace the route of internet traffic. I have tried to configure the STS VPN connection to test the VPN traffic to be moved on the backup link if primary ISP goes down but I am not being succeed. I am following the same STS Tunnel configuration as same configured for the primary ISP.
Can anyone suggest what settings are required so that the VPN traffic also works in case of failure of primary link.
Please Advice.
Regards,
Vinay Gupta
05-09-2010 09:31 AM
Hi,
If you have on your site an ASA that terminates both ISP connections and establish two tunnels (one primary and one backup), then besides the regular L2L configuration you need the following:
Have the crypto map applied to both interfaces of the ASA.
If using static routes, can use IP SLA to monitor the status of the link and prefer one ISP connection over the other, and allow the fall-back to occur.
The details of the configuration depends if using two separate interfaces on the ASA for VPN tunnel termination or using just one (for both ISPs).
How do you have your topology?
Federico.
05-10-2010 12:43 AM
Hi,
I am using two sepearte interfaces for both Internet links and i have already made crypto rules for the seconday backup internet link but still its not working once primary goes down.
On the other hand internet works fine in both case whether primary link goes fail or it comes back functional after going down that means the sla configuration which is configured into static route is working fine.
Regards,
Vinay Gupta
05-10-2010 07:01 AM
So, the fallback of interfaces are working fine (IP SLA is working).
But the VPN is not getting established via the second interface?
Are you connecting VPN clients to the ASA or Site-to-Site?
Can you post the configuration?
Do you see the tunnel trying to establish on the second interface when the primary goes down?
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide