I have an interesting scenario and can't work out how to solve my problem.
We have multiple sites. Each site has two P2P links back to different data centres, in turn the data centres are connected via P2P links. OSPF runs across the network to provide redundant routing so there is no single point of failure. Two of the data centres have Internet breakout via Fortigate firewalls. These participate in OSPF and advertise weighted default routes to the rest of the network. This all works well.
The problem I have relates to one site which connects in via an IPSEC tunnel (from an ASA to the Fortigate in the Primary DC). I need to set things up so that if the firewall in the Primary DC goes down for whatever reason, the ASA at the remote site initiates a VPN connection to the firewall in the Secondary DC.
From what I have found online if we had ASAs at both ends I could make use of the Backup Lan-to-Lan feature. If we had IOS routers (or at least an IOS router at the remote site rather than an ASA) I could use the IPsec Preferred Peer option.
Does anyone know how I can achieve what I need with the hardware currently in place? If I need to replace hardware then swapping out the ASA on the remote site for a Fortigate will likely be the easiest and most cost effective route to take.
Thanks for the reply Marcin. Both of your suggestions are good ones, however in this scenario both DC firewalls are alive at the same time, so there needs to be some kind of logic on the device at the remote site to say that it should only use tunnel B if tunnel A is down.
Thinking on this, is it possible to run an 'interface' or 'routed' mode IPSEC VPN with the ASA? I know this is possible with the Fortigates and think it's the default mode for Junipers. If that were possible we might be able to have both tunnels up and have OSPF run over them which would be another way to solve this problem.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :