All,
I am very lost on trying to create a redundant VPN setup. Any input would be greatly appriciated. Here is the info and a drawing to help out.
FW_1 Side
FW_1 has two connections to our simulated "internet" for redundancy purposes.
The router has a split q tagged interface that exists on two subnets, one for each of the internet routers.
An SLA track is set up on his router to monitor the reachability of the HSRP (172.16.0.1) address of internet routers A and B via an explicit static route
ip route 172.16.0.1 255.255.255.255 172.16.2.1
When it is unable to reach this address via this route it removes the default route
ip route 0.0.0.0 0.0.0.0 172.16.2.1 track 1
From the routing table leaving only the higher cost route
ip route 0.0.0.0 0.0.0.0 172.16.3.3 254
Outbound traffic is now sent via internet router B.
FW_2 Side
The 5510 is set up with two tunnels. Each tunnel is identical with the exception of the peer to which they connect. There is one tunnel for each interface of the
FW_1 has two connections to our simulated "internet" for redundancy purposes.
The router has a split q tagged interface that exists on two subnets, one for each of the internet routers.
An SLA track is set up on his router to monitor the reachability of the HSRP (172.16.0.1) address of internet routers A and B via an explicit static route
ip route 172.16.0.1 255.255.255.255 172.16.2.1
When it is unable to reach this address via this route it removes the default route
ip route 0.0.0.0 0.0.0.0 172.16.2.1 track 1
From the routing table leaving only the higher cost route
ip route 0.0.0.0 0.0.0.0 172.16.3.3 254
Outbound traffic is now sent via internet router B.
VPN router.
The ASA device seems to only want to send return traffic to the first VPN tunnel group it finds when reading its config. The way the config is at the moment, that tunnel is the one for peer 176.16.3.10. To clarify in the config I sent you, tunnelled traffic currently only works when the internet A router has failed and the tunnel is established from branch office peer 176.16.3.10. I did originally have it configured the other way so that it only worked when internet A was up but I swapped them over to test my theory that it was whichever tunnel was highest in the list and didn't change it back before sending you the config!
What We're Hoping For
We'd like to the VPN tunnel to automatically fail over in the event that the primary internet connection at the Branch Office end dies.
We'd like the backup VPN tunnel to only be used in the event of the failure of the primary and for it to return once the primary comes back up.
Thank you.
smiley_dba
