Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

question about site to site VPN failover on an ASA

Hello all. I am building a site to site VPN from our headquarters to a customer. I am using an ASA 5520. The customer is using Cisco 3945 routers. The customer has two VPN termination points. The customer requests that we make one of their termination points the primary VPN connection and make the other termination point the backup in the event that the primary VPN fails. How do I configure this on the ASA? Does the below configuration fulfill this goal?

crypto map cccccc 10 set peer 2.2.2.2 1.3.3.3

3 REPLIES
New Member

question about site to site VPN failover on an ASA

I have a similiar quest.  I have a crypto map on the asa with multiple peers - that appears to work.  However, it the first peer is not available, and the second peer is used...  It never fails BACK to the first peer when it becomes available again.  How can I make it fail back to the primary?

This is an ASA with only a single ISP.

New Member

question about site to site VPN failover on an ASA

I have just encountered a similar situation.  It seems to work near enough, but I still consider it a hack.  

Also if the second peer (887 router in this case) attempts to bring up the IPSec tunnel the ASA drops the the primary tunnel and restablishes it causing brief packet loss during the tunnel bounce.  A debug shows an error that it thinks the peer IP has changed, hence the tunnel should be dropped!!!

Im just using HRSP on the access site between 2 x 887's tracking the WAN interface.  On the ASA side I have both peers defined in the same way "crypto map cccccc 10 set peer 2.2.2.2 1.3.3.3".

The ASA feature set just hasnt improved in this space since the VPN3000 days, it may have actually gone backwards. Introduction of VTI interfaces and support for routing protocols over tunnels should have been introduced into the ASA years ago, but from what I understand has been put in the too hard basket.

Cheers

Kent.

Bronze

Re: question about site to site VPN failover on an ASA

ASA is a firewall. It is NOT a true VPN device. It lacks a lot of VPN features that you normally see in IOS routers.

For primary/backup VPN termination endpoints, I suggest you get rid of the ASA and go with IOS routers.  There are several options you can use with IOS routers such as VTI, DMVPN and GRE/IPSec.  My personal recommendation is GRE/IPSec because it can also work with non-cisco devices (Checkpoint/Nokia/IPSO combinations).  With DMVPN,

both sides need to be Cisco.  VTI, can't comment much on it since I do not use it very often.

By the way, none of these features are available in ASA appliances.

1249
Views
0
Helpful
3
Replies
CreatePlease login to create content