Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA VPN Traffic move over the secondary back-up ISP

Hello Experts,

We have two ISP links and second one is using for back-up purpose in case first link goes down then all internet traffic moves over the second link and while primary link come back functional then the traffic moves back as previously.

The STS Tunnel is configured and around 10 production sites are connected with first ISP link and when primary link works then only tunnel traffic can be move and remote sites are accessible but in-case the primary link goes down then the internet works fine as firewall replace the route of internet traffic. I have tried to configure the STS VPN  connection to test the VPN traffic to be moved on the backup link if primary ISP goes down but I am not being succeed. I am following the same STS Tunnel configuration as same configured for the primary ISP.

Can anyone suggest what settings are required so that the VPN traffic also works in case of failure of primary link.

Please Advice.

Regards,

Vinay Gupta

3 REPLIES

Re: ASA VPN Traffic move over the secondary back-up ISP

Hi,

If you have on your site an ASA that terminates both ISP connections and establish two tunnels (one primary and one backup), then besides the regular L2L configuration you need the following:

Have the crypto map applied to both interfaces of the ASA.

If using static routes, can use IP SLA to monitor the status of the link and prefer one ISP connection over the other, and allow the fall-back to occur.

The details of the configuration depends if using two separate interfaces on the ASA for VPN tunnel termination or using just one (for both ISPs).

How do you have your topology?

Federico.

Community Member

Re: ASA VPN Traffic move over the secondary back-up ISP

Hi,

I am using two sepearte interfaces for both Internet links and i have already made crypto rules for the seconday backup internet link but still its not working once primary goes down.

On the other hand internet works fine in both case whether primary link goes fail or it comes back functional after going down that means the sla configuration which is configured into static route is working fine.

Regards,

Vinay Gupta

Re: ASA VPN Traffic move over the secondary back-up ISP

So, the fallback of interfaces are working fine (IP SLA is working).

But the VPN is not getting established via the second interface?

Are you connecting VPN clients to the ASA or Site-to-Site?

Can you post the configuration?

Do you see the tunnel trying to establish on the second interface when the primary goes down?

Federico.

352
Views
0
Helpful
3
Replies
CreatePlease to create content