Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
660
Views
0
Helpful
4
Replies

Site Ipsec VPN to ASA- Need help configuring failover-

kh debb
Level 1
Level 1

‎03-02-2012 10:10 AM - edited ‎03-07-2019 05:18 AM

Hello guys,

i have on network issue on my Cisco881.

i must configure a FailOver using a MainLine SPI1-PublicAdd_1 and a backup line SP2-PubliAdd_2.

i don't know if  it possible to "build" twu Tunnels reaching the same Adresse on the ASA.

here attached my configuration

Thank you for you help.

Labels:
123752-Vpn IPSEC.txt.zip
0 Helpful
4 Replies 4

rizwanr74
Level 7
Level 7

‎03-03-2012 07:18 PM

Hi there,

You do not need dual peer configuration, so you would only need "crypto map vpn 10 ipsec-isakmp"

!

crypto map vpn 10 ipsec-isakmp

set peer 217.74.97.158

set transform-set STRONG

match address 102

!

crypto map vpn-secours 11 ipsec-isakmp

set peer 217.74.97.158

set transform-set STRONG

match address 102

!

Set IPSec SA is set to expire in 1 minutes and lowest value you can manually set is one minute, therefore you have to increase your timeout value on IP SLA as such to corresponding with IPSec SA expire time, such as  "timeout 200000".

( you have to check the actual units of timeout value and calculate it to be 1 mintue, i.e. on IP SLA timeout value)

On your ASA, the tunnel peer configration you can assign more than on IP address, that belong to remote peer.

crypto map outside_map 1 set transform-set ESP-AES-256-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer 1.2.3.4  11.12.13.14

You also need dual tunnel peer created same remote vpn peer router.

tunnel-group 1.2.3.4 type ipsec-l2l

tunnel-group 1.2.3.4  ipsec-attributes

pre-shared-key cisco1234

tunnel-group 11.12.13.14 type ipsec-l2l

tunnel-group 11.12.13.14 ipsec-attributes

pre-shared-key cisco1234

Hope that helps.

Thanks

Rizwan Rafeek

0 Helpful

kh debb
Level 1
Level 1
In response to rizwanr74

‎03-04-2012 11:35 AM

Hi Rizwan,

thank you for your response.

I just want tell you thant in can configure only my side (The cisco881). the ASA is configured by another personne.

i attached my shared configuration here up. can you open it and telle me what goes wrong. Please.

if i understand i have to configure only one crypto map that i can put one both interfaces..and controle th ip sla timer.

Tomorrow once back to the office, i ll correct the config and show it to you ..if agreee

Thank so much for advance.

0 Helpful

rizwanr74
Level 7
Level 7
In response to kh debb

‎03-12-2012 11:27 AM

I didn't hear from you, I hope you were able to resolve the problem.

Please rate helpful post.

thanks

0 Helpful

kh debb
Level 1
Level 1
In response to rizwanr74

‎03-13-2012 01:50 AM

Hi Rizwan,

sorry i was so buzy does days.

It s OK for me. the configuration a shared works.

Regards.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card