IPSec L2L VPN with Failover -- Single IP on ASA -- Dual Homed WatchGuard
Could someone please explain to me how to convert a site-to-site single IP mapping on an ASA terminating on a WatchGuard, which will become dual-homed (the WG will--the ASA will continue utilizing a single provider), utilizing WAN failover, so that failure of the primary ISP on the WG will trigger a route deletion and dynamically route traffic across the other tunnel on the ASA configuration side?
Is this even possible with native L2L configuration or do you need multiple tunnels with IP SLA or OSPF? Or can't it be done?
Re: IPSec L2L VPN with Failover -- Single IP on ASA -- Dual Homed WatchGuard
It can be done and it is quite simple on the ASA. The solution does not involve multiple tunnels on the ASA and does not involve roué deletion. You would simply modify the configuration of the ASA tunnel to specify a second peer address. If your config looked something like this
crypto map vpn_map 10 set peer a.b.c.d
you would modify it to be
crypto map vpn_map 10 a.b.c.d e.f.g.h
With this configuration your ASA would negotiate the VPN tunnel with a.b.c.d and if that peer became unavailable then your ASA would negotiate the VPN with e.f.g.h. Note that failover here is automatic but that it does not automatically fail back.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...