Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site Ipsec VPN to ASA- Need help configuring failover-

Hello guys,

i have on network issue on my Cisco881.

i must configure a FailOver using a MainLine SPI1-PublicAdd_1 and a backup line SP2-PubliAdd_2.

i don't know if  it possible to "build" twu Tunnels reaching the same Adresse on the ASA.

here attached my configuration

Thank you for you help.

  • LAN Switching and Routing
4 REPLIES

Site Ipsec VPN to ASA- Need help configuring failover-

Hi there,

You do not need dual peer configuration, so you would only need "crypto map vpn 10 ipsec-isakmp"

!

crypto map vpn 10 ipsec-isakmp

set peer 217.74.97.158

set transform-set STRONG

match address 102

!

crypto map vpn-secours 11 ipsec-isakmp

set peer 217.74.97.158

set transform-set STRONG

match address 102

!

Set IPSec SA is set to expire in 1 minutes and lowest value you can manually set is one minute, therefore you have to increase your timeout value on IP SLA as such to corresponding with IPSec SA expire time, such as  "timeout 200000".

( you have to check the actual units of timeout value and calculate it to be 1 mintue, i.e. on IP SLA timeout value)

On your ASA, the tunnel peer configration you can assign more than on IP address, that belong to remote peer.

crypto map outside_map 1 set transform-set ESP-AES-256-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer 1.2.3.4  11.12.13.14

You also need dual tunnel peer created same remote vpn peer router.

tunnel-group 1.2.3.4 type ipsec-l2l

tunnel-group 1.2.3.4  ipsec-attributes

pre-shared-key cisco1234

tunnel-group 11.12.13.14 type ipsec-l2l

tunnel-group 11.12.13.14 ipsec-attributes

pre-shared-key cisco1234

Hope that helps.

Thanks

Rizwan Rafeek

New Member

Site Ipsec VPN to ASA- Need help configuring failover-

Hi Rizwan,

thank you for your response.

I just want tell you thant in can configure only my side (The cisco881). the ASA is configured by another personne.

i attached my shared configuration here up. can you open it and telle me what goes wrong. Please.

if i understand i have to configure only one crypto map that i can put one both interfaces..and controle th ip sla timer.

Tomorrow once back to the office, i ll correct the config and show it to you ..if agreee

Thank so much for advance.

Site Ipsec VPN to ASA- Need help configuring failover-

I didn't hear from you, I hope you were able to resolve the problem.

Please rate helpful post.

thanks

New Member

Re: Site Ipsec VPN to ASA- Need help configuring failover-

Hi Rizwan,

sorry i was so buzy does days.

It s OK for me. the configuration a shared works.

Regards.

350
Views
0
Helpful
4
Replies