Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
475
Views
0
Helpful
3
Replies

ASA VPN Traffic move over the secondary back-up ISP

ray_stone
Level 1
Level 1

‎05-09-2010 04:16 AM - edited ‎03-11-2019 10:42 AM

Hello Experts,

We have two ISP links and second one is using for back-up purpose in case first link goes down then all internet traffic moves over the second link and while primary link come back functional then the traffic moves back as previously.

The STS Tunnel is configured and around 10 production sites are connected with first ISP link and when primary link works then only tunnel traffic can be move and remote sites are accessible but in-case the primary link goes down then the internet works fine as firewall replace the route of internet traffic. I have tried to configure the STS VPN  connection to test the VPN traffic to be moved on the backup link if primary ISP goes down but I am not being succeed. I am following the same STS Tunnel configuration as same configured for the primary ISP.

Can anyone suggest what settings are required so that the VPN traffic also works in case of failure of primary link.

Please Advice.

Regards,

Vinay Gupta

Labels:
0 Helpful
3 Replies 3

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎05-09-2010 09:31 AM

Hi,

If you have on your site an ASA that terminates both ISP connections and establish two tunnels (one primary and one backup), then besides the regular L2L configuration you need the following:

Have the crypto map applied to both interfaces of the ASA.

If using static routes, can use IP SLA to monitor the status of the link and prefer one ISP connection over the other, and allow the fall-back to occur.

The details of the configuration depends if using two separate interfaces on the ASA for VPN tunnel termination or using just one (for both ISPs).

How do you have your topology?

Federico.

0 Helpful

ray_stone
Level 1
Level 1
In response to Federico Coto Fajardo

‎05-10-2010 12:43 AM

Hi,

I am using two sepearte interfaces for both Internet links and i have already made crypto rules for the seconday backup internet link but still its not working once primary goes down.

On the other hand internet works fine in both case whether primary link goes fail or it comes back functional after going down that means the sla configuration which is configured into static route is working fine.

Regards,

Vinay Gupta

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to ray_stone

‎05-10-2010 07:01 AM

So, the fallback of interfaces are working fine (IP SLA is working).

But the VPN is not getting established via the second interface?

Are you connecting VPN clients to the ASA or Site-to-Site?

Can you post the configuration?

Do you see the tunnel trying to establish on the second interface when the primary goes down?

Federico.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card