We have IPSec VPN tunnels sourced on ASA appliances connected to Router R1 where the WAN link is terminated.
Here we are about to add another WAN link with a connection from different ISP. Our concern is how the tunnel will be rerouted through the other link with the same source IPs seeing that the backup ISPs wont allow the primary ISP's IP CIDR through their cloud? Basically the idea is to keep the design simple & hassle free.
The new setup will incorporate these changes. Pls note only one ASA appliance is in use.
ASA --> Router R1 with Primary link/ISP (public IPs of Primary ISP)
ASA --> Router R2 with Secondary Link/ISP(Public IPs of Secondary ISP)
How can the tunnels be sourced with the same IPs of primary ISP in case of a link failure? or alternatively what is the best solution?
Honestly the best way tohave this set up is to get your own IP space, ASN, and run BGP with the two peers. This way when you terminate the tunnel to the IP it will be routable through both links and you control the announcement not the peers. You can manually fail it over but it will require two tunnels and it can be an admin headache.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...