Redundant Tunnels

thanekamp · ‎06-01-2006

I was wondering if anyone knew if it was possible to apply the same crypto map (or an identical crypto map at least) to two interfaces on the same ASA?

I have two ethernet circuits being handed off by two ISPs at the Core of a hub and spoke IPVPN network, with different circuit addressing, and would like to use one of these circuits as a backup endpoint for the VPN tunnels.

I know it is fairly easy to specify a backup peer in the PIX firewalls at the remote locations, but am uncertain as to how the ASA will decide which crypto map to use if it has two maps that matched the traffic it sees. Are the priority levels in a cyrpto map locally significant or global?

Fernando_Meza · ‎06-01-2006

mmm ... in fact you can just add another VPN server on the configuration on the spoke .. specially if you are using VPN client for setting up the tunnel.

Now from the ASA I don't think you can have that functionality while the same interesting traffic is applied to 2 crypto maps which in turn are enabled in two separate interfaces. What you can do is to replicate the same crypto configuration using a different cryto map name and leave it saved on the config WITHOUT binding it to the second interface.

When link to ISP 1 goes down then you can remove the crypto map from the failed interface and applied the second crypto map to the interface connected to ISP 2. I know this is not automatic as you would like but perhaps is your only option.

I hope it helps .... please rate it if does !!!