I have 150+ vendors connected to our primary data center via site-to-site IPSEC VPN tunnels on ASA's. I want to also connect these vendors to my D/R data center and have these back-up tunnels (at each vendor location) become active whenever a primary tunnel fails. I need to view this solution from the vendor's ASA's since each vendor manages the devices on both ends of the tunnels (these are banks, etc. partners that don't allow us to manage our hardware on their network).
So, I'm looking for a solution that monitors the primary ISP- tunnel(s) on (physical interface-1) to my primary data center, then, upon failure of the primary ISP tunnel(s), the back-up ISP tunnel(s) will become active between that vendor and my D/R data center's ASA. The diagram below depicts my desired solution.
Are you wanting the DR site to activate automaticly with no user intervention if the primary goes down? What type of failure are you expecting to have the tunnel swing?
Off the top of my head I am thinking this can be done via routing via BGP. If the primary link goes down the IP being announced from DR will become preferred and traffic will flow that direction. It will require authentication I am sure, I have not set that up so I am not sure how that will work exactly. However, technically it should work.
I need to look at this from the vendors' perspective. Remember, these vendors individually manage the ASA's at their site. I need their ASA to do the DPD and switch-over to the alternate interface that connects to my D/R data center. So, if using BGP is a better solution thatn something like a track-IP / VPN-Monitor function, then that just might be simpler. Especially since the back-up tunnel points to the D/R's data center servers IP's. That will stop the traffic from going through the D/R dc and traversing the DC to DC link and going back towards the primary DC's servers.
OK, I'l llook at BGP.
Let me know if you have any additional comments based upon the above.
I understand what you are saying. I have not set-up track IP or VPN monitor, but it does sound like routing can help with this situation. As mentioned, BGP will allow for multiple routing announcements with weights. If the primary announcement is pulled then the secondary announcement will then be preferred.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...