Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

IPSec L2L VPN with Failover -- Single IP on ASA -- Dual Homed WatchGuard

Could someone please explain to me how to convert a site-to-site single IP mapping on an ASA terminating on a WatchGuard, which will become dual-homed (the WG will--the ASA will continue utilizing a single provider), utilizing WAN failover, so that failure of the primary ISP on the WG will trigger a route deletion and dynamically route traffic across the other tunnel on the ASA configuration side?

 

Is this even possible with native L2L configuration or do you need multiple tunnels with IP SLA or OSPF?  Or can't it be done?

 

Tom

1 REPLY
Hall of Fame Super Gold

Re: IPSec L2L VPN with Failover -- Single IP on ASA -- Dual Homed WatchGuard

Tom

 

It can be done and it is quite simple on the ASA. The solution does not involve multiple tunnels on the ASA and does not involve roué deletion. You would simply modify the configuration of the ASA tunnel to specify a second peer address. If your config looked something like this

crypto map vpn_map 10 set peer a.b.c.d

you would modify it to be

crypto map vpn_map 10 a.b.c.d e.f.g.h

With this configuration your ASA would negotiate the VPN tunnel with a.b.c.d and if that peer became unavailable then your ASA would negotiate the VPN with e.f.g.h. Note that failover here is automatic but that it does not automatically fail back.

 

HTH

 

Rick

436
Views
5
Helpful
1
Replies
CreatePlease to create content