Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

asa primary and backup

I have a primary and backup asa5510.  The primary has numerous site ipsec vpn's configured with different isr's, the backup also has the same site vpn's configured.  Each isr has a backup peer to the backup asa configured.  Both primary and backup peers are establishing at times and at other times it fails over completely to backup when primary is active.  Have tried answer only at backup asa and this has no effect

The configuration at the isr is as below:

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to1.1.1.1

set peer 1.1.1.1

set peer 2.2.2.2

set transform-set ESP-3DES-SHA

match address 101

3 REPLIES
Hall of Fame Super Silver

asa primary and backup

When using the ASA as a VPN appliance it is designed to operate only in Active-Standby High Availability (HA) mode. Peers should have VPN configured to only the Active outside IP address.

In the event of a failover, the former Standby unit (now Active) is designed to take over the IP address and continue servicing the VPN tunnels.

VIP Purple

Re: asa primary and backup

I understand your scenario that you are not running your ASAs in a failover-mode but completely independent on different providers. Is that right?

That can make problems as the router sends traffic into that VPN from that the router has seen traffic the last time. If that changes for some reasons from ASA1 to ASA2 or vice versa, then the state-check from the ASA can drop that traffic.

I would say you are using the wrong tool for the right job.

If you have the option that you should terminate these S2S-tunnels on an IOS-router. That way you dont't have the firewalling and you can easily use routing-protocols to detect VPN-failures.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

New Member

asa primary and backup

this was the default switch on the primary peer statement.  Thanks anyway

279
Views
0
Helpful
3
Replies
CreatePlease to create content