We have an ASA here with two ISP links running directly to it. The ASA provides Lan-to-LAN VPN tunnel services between us and our partner company. The partner company has two separate sites, which we will call Site A and Site B.
Our ASA's primary ISP interface has a VPN tunnel connected to Site A. The secondary ISP interface has a VPN tunnel connected to Site B. Therefore, considering our primary ISP is up, and Site A's ISP is up, then all traffic will flow over this tunnel as we have a static route that says all traffic to remote site, go out Primary ISP interface. We have another static route with a higher cost for the secondary ISP interface.
What we need to incorporate is some form of redundancy where if the tunnel goes down, we start to route all traffic over the Site B tunnel. The trouble is, I know we can track static routes and things for IP connectivity, but can we track tunnel status or something else?
My concern is if IP connectivity between Site A is fine but for whatever reason, the tunnel goes down, the ASA has no way of knowing this and will just keep trying to send traffic this way.
I hope this makes sense and I look forward to hearing some recommendations! Thanks in advance,
Please come back how you do it finally. I am very much interseted in this setup.
Here is what we did, very simple in our case we created GRE-IPSEC tunnels between two sites and ran routing protocol. Routing protocol takes care of redundancy, after all those are designed for this !!
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...