Is Failover possible on for Site-to-Site VPN ?

vinayak · ‎10-21-2010

Hello all,

Currently i am having ASA 5505. i am having 2 ISP links. I used SLA Monitoring & Tracking for failover of ISP. Means if ISP 1 gose down Traffic shifted to ISP 2.

My Qusetion is Can i use this same config i.e FAILOVER (SLA Monitoring) for Site-To-Site VPN ???

Is Load Balancing Possible on ASA 5505 ??

Bastien Migette · ‎10-21-2010

Asa can make load-balancing for VPN using the vpn cluster configuration, but it's only for remote access vpn. A workaround would be to use one side as an easy vpn client, but this will depend on asa model you use, and this is not a real load balancing, as the algorithm is per connexion, so in a site to site environment this will, at best, make a failover.

Now, I see two other options here for failover taht would be more appropriate:

-In the asa crypto map you can add multiple peers, so basically you can have static routes to these peers with tracking, if the route for one peer is failing, then the tunnel will fail and the other peer will be used.

-you can have multiple tunnels from one asa and let the routing protocol do the failover between the different tunnels.

For the load balancing, normally as far as you have two routes with the same metrics it will load balance between the tunnels

.

so if you want to load balance and failover, I think the best option would be to have two static routes for the private subnets behind your VPNs with tracking, so if the two VPNs are up, there's a load balancing, if one goes down, only the other will be used.

I hope this will help.

vinayak · ‎10-21-2010

Hi,

Thanks. Means if i create 2 Tunnels on other site then it is possible to use failover in Site-to-Site VPN ??

Bastien Migette · ‎10-21-2010

Yes, as long as you have a either a static route with tracking or dynamic routing protocol with timeout (like ospf/eigrp), if one one tunnel isn't reachable then the router will change its routing decisions.

Basically you will track the remote site public adress; so with static routes if the remote device is down, route is down, and with dynamic routing, you will make the remote device as a neighbor, so if the neighbor goes down, the routes will go down as well

vinayak · ‎10-21-2010

Hi,

I am using all static IPs with no dynamic routing protocol.

I used SLA Tracking for Failover.

I dont have router in my network. I hav only ASA 5505.

is this possible on ASA 5505 ?

Bastien Migette · ‎10-21-2010

asa supports ospf/eigrp, but if you prefer static routing that's just fine.

for example, if you have two sites, A&B, each one with an ASA (ASA_A & B), each asa connected to 2 ISP (1&2).

You will create 2 tunnels on each asa, each tunnel ending to the remote asa ISP, so one tunnel on ASA_A to ASA_B on ISP1, and same on ISP2 (but notice that if ISP1 goes down on an ASA and ISP2 goes down on the other, everything will be down, so additionally you can, in the crypto maps, adding the remote IP in the other isp as a backup peer for remote ASA).

now, on each asa, create two static routes for the remote private networks, one per tunnel, with tracking. if one of the routes fails, the other will be used. if both routes are actives, the ASA will load balance traffic.