I have been tasked to configure a VPN failover design so that if the customer's Metro Ethernet connection fails, (EIGRP not in route table) a VPN connection will initiate autmatically. The Remote site will be the only one to initiate the connection to resources on the main site.
I have included a basic drawing, the main site is on the left, the firewall is an ASA5510, on the right is the remote site that will initiate the vpn request if needed. Their equipment is a 2811 with the 12.4 security.
My issue seems to be that in my config when I apply the crypto to the dsl line the 192.168.2.0/24 network shows up as a connected route. This allows me to access resources but locks the vpn up and the Metro E is ignored no matter what its status. The remote site acts as if the only path to connect is via the VPN.
I thought there has to be some sort of Policy Based Routing I need to perform but not sure as to how to go about it.
If I understand your requirement correct, the Branch office network need to reach the head office via VPN when the HQ network not being learned via EIGRP (or metroethernet issues). If you have default routes (0.0.0.0 0.0.0.0) on both ends points to Internet, and Lan to lan VPN between both ends configured correct, then it will work with no issues. if you want to define more specfic paths, add static routes on both ends with more higher administrative distance than EIGRP pointing to Interent path.
Thanks for the quick response. That's what I thought too but what is happening is once I put the crypto statement on my internet interface it sees the vpn destination network as a connected route. So when I reconnect the Metro E, that route is ignored. it never makes it to the routing table because a connected route beats out any other metric. I will check it again to confirm.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...