Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

Site to Site VPN Redundancy using ASA's

What is the best whay to setup a redundant site to site VPN.

We currently have 2 ASA5510's (8.2) at the HQ and several ASA5505's at remote sites. We would like to have the remote ASA's automatically switch over to the second ASA at the HQ when the primary path fails.

Dual peer adresses on the remote sites with reverse route injection at the HQ and a routing protocol at HQ doesn't work because the already RR exists when we setup the VPN, when it's not even connected.

Please advise....

Regards,

Erik

6 REPLIES

Re: Site to Site VPN Redundancy using ASA's

just add the secondary external IP address to the current remote site crypto maps.

When the first IP is not available (primary) they will try the secondary e.g

crypto map <> <> set peer y.y.y.y z.z.z.z

y.y.y.y = Primary ASA

z.z.z.z = Secondary ASA

HTH>

Bronze

Re: Site to Site VPN Redundancy using ASA's

Thanks for the reply, but the remote site is not the problem! It's the HQ.

Because reverse route injection always injects a route (dispite the lack of a valid SA) the core routers do not know where to send the traffic!

Does anybody know how to setup the routing at HQ. Bear in mind that reverse route injection doesn't do what I'd expect it to do.

Regards,

Erik

Re: Site to Site VPN Redundancy using ASA's

OK - reverse route injection only populates a routing table with an entry with a valid IPSEC tunnel....supposedly.

I have seen and continue to see ASA ver 8.0 - 8.x vers of IOS reverse route injection does not perform 100%, and advise against it's use. Great function not 100% bug free yet.

The best way to over come this issue - is run a dynamic routing protocol, in a GRE tunnel over a IPSEC VPN.

or you just enable the ASA to be in a failover pair, and have the core routers point to the active IP address of the inside of the ASA's.

Bronze

Re: Site to Site VPN Redundancy using ASA's

RRI does seem to work as expected on dynamic tunnels (EzVPN) but fails on site-to-site.

Using GRE tunnels rules out the ASA's and requires routers (IOS).

Using failover ASA's will not work because we're using two different ISP's on both ASA's, so ... bye bye ASA's.

Regards,

Erik

Re: Site to Site VPN Redundancy using ASA's

Not entirely game over just yet - you could use IP SLA on the ASA's that could check the remote end via an ICMP check. If it fails, the ASA removed the route from it's local table and stops redistributing it - then the other ASA will have a valid route and will populate that back into the core.

The below is an indication of what you can try.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

New Member

Re: Site to Site VPN Redundancy using ASA's

Hi,

Could anyone provide a configuration reference about EZVPN (using ASAs in remote side and 2 redudant ASAs Servers in 2 different DataCenters) ? Is a possible network design ?

Regards

2210
Views
0
Helpful
6
Replies