Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Redundant Site to Site VPN Pix/ASA

Hi All,

I have a site which has two peer endpoints and wants one of them to be redundant. I know it's possible to configure on the crypto map more than one peer.

Is there a configuration feature like dpd available on the pix/asa? The version running on the pix is 7.2.3.

TIA

Jack

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Redundant Site to Site VPN Pix/ASA

See here under usage guidelines...

http://cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2066090

connection type needs to be originate-only as well, which means the far end must be answer-only.

I also don't think you need to create separate tunnel groups, but I could be wrong.

3 REPLIES
Green

Re: Redundant Site to Site VPN Pix/ASA

Dead peer detection is enabled by default with the following command...

tunnel-group ipsec-attributes

isakmp keepalive 10 2

http://cisco.com/en/US/docs/security/asa/asa72/command/reference/i3_72.html#wp1732140

New Member

Re: Redundant Site to Site VPN Pix/ASA

Hi,

Thanks for your answer.

In essence my config should look someting like this:

crypto map match address 101

crypto map pix set peer peer one

crypto map pix set peer peer two

crypto map set transform-set myset

tunnel-group peer 1 type ipsec-l2l

tunnel-group peer 1 ipsec-attributes

isakmp keepalive 10 2

tunnel-group peer 2 type ipsec-l2l

tunnel-group peer 2 type ipsec-attributes

isakmp keepalive 10 2

Thanks.

Jack.

Green

Re: Redundant Site to Site VPN Pix/ASA

See here under usage guidelines...

http://cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2066090

connection type needs to be originate-only as well, which means the far end must be answer-only.

I also don't think you need to create separate tunnel groups, but I could be wrong.

316
Views
0
Helpful
3
Replies