03-02-2012 10:10 AM - edited 03-07-2019 05:18 AM
Hello guys,
i have on network issue on my Cisco881.
i must configure a FailOver using a MainLine SPI1-PublicAdd_1 and a backup line SP2-PubliAdd_2.
i don't know if it possible to "build" twu Tunnels reaching the same Adresse on the ASA.
here attached my configuration
Thank you for you help.
03-03-2012 07:18 PM
Hi there,
You do not need dual peer configuration, so you would only need "crypto map vpn 10 ipsec-isakmp"
!
crypto map vpn 10 ipsec-isakmp
set peer 217.74.97.158
set transform-set STRONG
match address 102
!
crypto map vpn-secours 11 ipsec-isakmp
set peer 217.74.97.158
set transform-set STRONG
match address 102
!
Set IPSec SA is set to expire in 1 minutes and lowest value you can manually set is one minute, therefore you have to increase your timeout value on IP SLA as such to corresponding with IPSec SA expire time, such as "timeout 200000".
( you have to check the actual units of timeout value and calculate it to be 1 mintue, i.e. on IP SLA timeout value)
On your ASA, the tunnel peer configration you can assign more than on IP address, that belong to remote peer.
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 1.2.3.4 11.12.13.14
You also need dual tunnel peer created same remote vpn peer router.
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 ipsec-attributes
pre-shared-key cisco1234
tunnel-group 11.12.13.14 type ipsec-l2l
tunnel-group 11.12.13.14 ipsec-attributes
pre-shared-key cisco1234
Hope that helps.
Thanks
Rizwan Rafeek
03-04-2012 11:35 AM
Hi Rizwan,
thank you for your response.
I just want tell you thant in can configure only my side (The cisco881). the ASA is configured by another personne.
i attached my shared configuration here up. can you open it and telle me what goes wrong. Please.
if i understand i have to configure only one crypto map that i can put one both interfaces..and controle th ip sla timer.
Tomorrow once back to the office, i ll correct the config and show it to you ..if agreee
Thank so much for advance.
03-12-2012 11:27 AM
I didn't hear from you, I hope you were able to resolve the problem.
Please rate helpful post.
thanks
03-13-2012 01:50 AM
Hi Rizwan,
sorry i was so buzy does days.
It s OK for me. the configuration a shared works.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide