Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Is Failover possible on for Site-to-Site VPN ?

Hello all,

Currently i am having ASA 5505. i am having 2 ISP links. I used SLA Monitoring & Tracking for failover of ISP. Means if ISP 1 gose down Traffic shifted to ISP 2.

My Qusetion is  Can i use  this same config i.e FAILOVER (SLA Monitoring)  for Site-To-Site VPN ???

Is Load Balancing Possible on ASA 5505 ??

  • Firewalling
5 REPLIES
Cisco Employee

Re: Is Failover possible on for Site-to-Site VPN ?

Asa can make load-balancing for VPN using the vpn cluster configuration, but it's only for remote access vpn. A workaround would be to use one side as an easy vpn client, but this will depend on asa model you use, and this is not a real load balancing, as the algorithm is per connexion, so in a site to site environment this will, at best, make a failover.

Now, I see two other options here for failover taht would be more appropriate:

-In the asa crypto map you can add multiple peers, so basically you can have static routes to these peers with tracking, if the route for one peer is failing, then the tunnel will fail and the other peer will be used.

-you can have multiple tunnels from one asa and let the routing protocol do the failover between the different tunnels.

For the load balancing, normally as far as you have two routes with the same metrics it will load balance between the tunnels

.

so if you want to load balance and failover, I think the best option would be to have two static routes for the private subnets behind your VPNs with tracking, so if the two VPNs are up, there's a load balancing, if one goes down, only the other will be used.

I hope this will help.

New Member

Re: Is Failover possible on for Site-to-Site VPN ?

Hi,

Thanks. Means if i create 2 Tunnels on other site then it is possible to use failover in Site-to-Site VPN ??

Cisco Employee

Re: Is Failover possible on for Site-to-Site VPN ?

Yes, as long as you have a either a static route with tracking or dynamic routing protocol with timeout (like ospf/eigrp), if one one tunnel isn't reachable then the router will change its routing decisions.

Basically you will track the remote site public adress; so with static routes if the remote device is down, route is down, and with dynamic routing, you will make the remote device as a neighbor, so if the neighbor goes down, the routes will go down as well

New Member

Re: Is Failover possible on for Site-to-Site VPN ?

Hi,

I am using all static IPs with no dynamic routing protocol.

I used SLA Tracking for Failover.

I dont have router in my network. I hav only ASA 5505.

is this possible on ASA 5505 ?

Cisco Employee

Re: Is Failover possible on for Site-to-Site VPN ?

asa supports ospf/eigrp, but if you prefer static routing that's just fine.

for example, if you have two sites, A&B, each one with an ASA (ASA_A & B), each asa connected to 2 ISP (1&2).

You will create 2 tunnels on each asa, each tunnel ending to the remote asa ISP, so one tunnel on ASA_A to ASA_B on ISP1, and same on ISP2 (but notice that if ISP1 goes down on an ASA and ISP2 goes down on the other, everything will be down, so additionally you can, in the crypto maps, adding the remote IP in the other isp as a backup peer for remote ASA).

now, on each asa, create two static routes for the remote private networks, one per tunnel, with tracking. if one of the routes fails, the other will be used. if both routes are actives, the ASA will load balance traffic.

391
Views
5
Helpful
5
Replies
This widget could not be displayed.