Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASA Dual ISP - VPN L2L?

Hi

I have an asa cluster where L2L Tunnels are configured.

Now i want to have an Backup ISP at the ASA side.

What i have done is SLA Monitoring for the ISP backup if the primary ISP fails.

But how can i cant the crypto map to the "backup interface" i think that it is not possible to have the same crypto map on 2 interfaces.

I found much about this question in netpro, but not really a solution.

regards

Bernhard

2 REPLIES
New Member

Re: ASA Dual ISP - VPN L2L?

Hello!

I have the same issue but the swap from the primary to the backup works well, but the swap form the backup to the primary is a problem because I have to active SAs with the same cryptodomain and that's why the the asa don't know which SAs should take it.

Here a configuration output:

crypto map outside1_map 1 match address outside1_1_cryptomap

crypto map outside1_map 1 set peer 1.1.1.1 2.2.2.2

crypto map outside1_map 1 set transform-set ESP-3DES-SHA

crypto map outside1_map 1 set security-association lifetime seconds 28800

crypto map outside1_map 1 set security-association lifetime kilobytes 4608000

crypto map outside1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside1_map interface outside1

crypto map outside2_map 1 match address outside2_1_cryptomap

crypto map outside2_map 1 set peer 2.2.2.2 1.1.1.1

crypto map outside2_map 1 set transform-set ESP-3DES-SHA

crypto map outside2_map 1 set security-association lifetime seconds 28800

crypto map outside2_map 1 set security-association lifetime kilobytes 4608000

crypto map outside2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside2_map interface outside2

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 10 retry 3

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 10 retry 3

mfg

schannro

New Member

Re: ASA Dual ISP - VPN L2L?

Hi Bernahard,

Have found any solution to this ? I am facing the same issue,

Regards,

Janaka

179
Views
0
Helpful
2
Replies
CreatePlease to create content