Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA site2site VPN headend redundancy

Hi, here is my situation, we have two ISPs in HQ, ASA has outside IP from ISP1, we have a WAN load-balancer sitting in front of ASA, when ISP1 goes away, the WAN load-balancer will NAT ISP1 IP to ISP2 IP.

Now I want to implement site2site VPN redundancy for remote offices, I am not sure the following configuration on remote ASA would work:

crypto map mymap 1 match address traffic_to-HQ

crypto map mymap 1 set peer ISP1_IP

crypto map mymap 2 match address traafic_to_HQ

cryto map mymap 2 set peer ISP2_IP

tunnel-group ISP1_IP

<tunnel-group configruation>

tunnel-group ISP2_IP

<tuneel-group configuration, exactly the same as above>

ISP1_IP and ISP2_IP are essentially the same IP (HQ-ASA's outside IP) after WAN load-balancer's static NAT, I am wondering what is effect of the above configuration, would remote ASA establish two ISAKMP/IPsec SAs to HQ-ASA? or remote will establish only the first one? if the latter, is it because crypto map seq 1's "match address" ACL is the same as seq 1?

1 REPLY

Re: ASA site2site VPN headend redundancy

From the spokes perspective, you will set up one crypto map entry to point to a primary and secondary peer IP. For example,

crypto map mymap 1 match address traffic_to-HQ

crypto map mymap 1 set peer ISP1_IP ISP2_IP

crypto map mymap 1 set transform-set TSET

tunnel-group ISP1_IP

tunnel-group ISP2_IP

303
Views
0
Helpful
1
Replies
CreatePlease login to create content