Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
477
Views
0
Helpful
3
Replies

asa primary and backup

mialbert
Level 1
Level 1

‎08-21-2012 09:21 AM

I have a primary and backup asa5510.  The primary has numerous site ipsec vpn's configured with different isr's, the backup also has the same site vpn's configured.  Each isr has a backup peer to the backup asa configured.  Both primary and backup peers are establishing at times and at other times it fails over completely to backup when primary is active.  Have tried answer only at backup asa and this has no effect

The configuration at the isr is as below:

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to1.1.1.1

set peer 1.1.1.1

set peer 2.2.2.2

set transform-set ESP-3DES-SHA

match address 101

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-21-2012 10:32 AM

When using the ASA as a VPN appliance it is designed to operate only in Active-Standby High Availability (HA) mode. Peers should have VPN configured to only the Active outside IP address.

In the event of a failover, the former Standby unit (now Active) is designed to take over the IP address and continue servicing the VPN tunnels.

0 Helpful

Karsten Iwen
VIP
VIP

‎08-21-2012 02:14 PM

I understand your scenario that you are not running your ASAs in a failover-mode but completely independent on different providers. Is that right?

That can make problems as the router sends traffic into that VPN from that the router has seen traffic the last time. If that changes for some reasons from ASA1 to ASA2 or vice versa, then the state-check from the ASA can drop that traffic.

I would say you are using the wrong tool for the right job.

If you have the option that you should terminate these S2S-tunnels on an IOS-router. That way you dont't have the firewalling and you can easily use routing-protocols to detect VPN-failures.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

mialbert
Level 1
Level 1
In response to Karsten Iwen

‎08-24-2012 08:23 AM

this was the default switch on the primary peer statement.  Thanks anyway

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents