I need some assistance in proper;y setting up a failover tunnel on spoke connections. We have ASA's located at two separate data centers. I would like for a router @ a remote location to fail over to a separate ASA, giving the initial tunnel goes down.
I am thinking that I should utilize one of these two ways:
crypto map tohub 1 ipsec-isakmp
set peer 10.1.1.1 default
set peer 10.2.2.2
set security-association idletime 120 default
crypto map tohub 10 ipsec-isakmp
set peer 10.1.1.1
crypto map tohub 20 ipsec-isakmp
set peer 10.2.2.2
Is it possible and would I need to setup two RSA keys on the remote routers.
While both configs would be possible I believe that the first one is closer to providing the functionality that you describe of failing over to the other peer if the first one fails. The first alternative has a single tunnel and is a bit more simple. In the second approach you are configuring 2 tunnels. And they both will be active all the time.
I have done a project for a customer where we did something similar. In that case we chose to configure 2 tunnels. We also configured the IPSec VPN to run with GRE. We run a dynamic routing protocol over the GRE tunnel and the choice of which tunnel to send traffic over and the automatic detection of loss of a peer and failover to the other peer is handled by the routing protocol. This works fine but it does introduce some complexities not present in the single tunnel approach.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :