Multiple Site to site VPNs with same intersting traffic (HA vpn)
Hi All, I am trying to setup two site to site vpn to 2 ASA's from a common single router such that the ASA's represent different branches. But what I want to accomplish is to setup a vpn to both these branch asa's from a router such that the interesting traffic is same for both, ie, I want to know how I can set up this tunnel using sla monitor such that when one ISP goes down the router or ASA establish the tunnel automatically to the other vpn peer. When I tried configuring multiple vpn peers in crypto map, vpn is only being established to the first one in the peer list. Is it possible to implement this vpn HA solution? Tried searching for similar setup but couldn't find one. Appreciate your suggestions. Regards, Bobby
Appreciate your response. I have added the topology diagram. What I am trying to achieve is a backup vpn. Consider R6 as an ISP cloud, I have already setup a VPN between ASA1 and R1, but I want to create a standby VPN to ASA3 from R1 in the instance ASA1 link to R1 fails. I have configured SLA route tracking to route through ASA3 in case of a link failure. But I am not able to bring up the second tunnel as router is not initiating the vpn tunnel to the ASA3 even though its been added in the vpn peer list (as the second peer), but even when the link is down it is only trying to establish vpn to the first peer in the list. I want to know how I can do this using the current setup, by the by vpn access-list (interesting traffic) is the traffic from R1 loopback interfaces (lo10 and lo20) to R5 loopback interface (lo30 and lo40), ie, 10.10.10.1/126.96.36.199 to 188.8.131.52/184.108.40.206 and vice versa. Assigning a public IP to a loopback interface is not an option. Any other suggestions?
this will be quite tricky...unless you have the ASAs in a Active/Standby failover setup. some creative IP SLA tracking config will be needed on both R1 and R5, and routing will need to be taken into account because if you have two default routes on R5 you need to ensure that the tracking ICMP traffic selects the correct path and not loadbalances over the two links.
Any chance you can set up the ASAs in active/standby failover?
Please remember to select a correct answer and rate helpful posts
Please remember to rate and select a correct answer
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :