Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Two ASA's, one Branch, Backup VPN link?

Hi everyone.


I'm suffering with this one, and when I think I got it, something else comes and stops me.


Customer has one ASA with ezvpn, and several branches, which connect using nem with 887/877 routers.  The ASA also announces the connected router's networks via OSPF to the rest of the organization.


They asked me to replicate the ASA configuration on another central site (done), so a new set of routers (about 120) can connect to this new ASA.  This is working fine as well.


Now, the tricky part: They need to have redundancy on every branch, but not on the branches, but on the central sites.  Let me elaborate.  They want a new router to be connected to ASA 2, and if ASA 2 (or its link) dies, automatically be connected do ASA 1.  Of course, if ASA 2 recovers, the router should reconnect to ASA 2 and drop the ASA 1 connection.  This should be extended to the actually connected routers, but that's easy once having the first setup done.


I have configured this on the Router, but it doesn't seem to work properly, since the ezvpn configuration only accepts one server per outside interface:  x.x.x.x is the main ASA, y.y.y.y is the backup one


ip sla monitor 1
 type echo protocol ipIcmpEcho x.x.x.x
 threshold 1000
 frequency 6
ip sla monitor schedule 1 life forever start-time now
track 123 rtr 1 reachability


crypto ipsec client ezvpn backup
 connect auto
 group <group> key <key>
 mode network-extension
 peer y.y.y.y
 username <username> password <password>
 xauth userid mode local


crypto ipsec client ezvpn main
 connect auto
 group <group> key <key>
 mode network-extension
 peer x.x.x.x
 username <username> password <password>
 xauth userid mode local
 backup backup track 123




My interfaces are e0 for inside, and f0 for outside:

interface Ethernet0
 ip address
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 crypto ipsec client ezvpn main inside
 crypto ipsec client ezvpn backup inside
interface FastEthernet0
 ip address
 ip mtu 1492
 ip flow ingress
 ip virtual-reassembly
 speed auto
 crypto ipsec client ezvpn main


So, the first tunnel establishes correctly:

*Mar  1 00:07:26.247: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client)  User=username  Group=group  Client_public_addr=  Server_public_addr=x.x.x.x  NEM_Remote_Subnets=



But if I drop the connection to the first ASA, the second connection won't come up, I assume because I don't have an interface with the client configuration define (although from what I can understand, the config should go from f0 uses "main", and "main" uses "backup" if it isn't working)

*Mar  1 00:09:55.639: %TRACKING-5-STATE: 123 rtr 1 reachability Up->Down
*Mar  1 00:09:55.651: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=username  Group=group  Client_public_addr=  Server_public_addr=x.x.x.x


Is this type of configuration even supported? Do I need to do something else? I only have one outside interface and one inside, and I can't change that in my setup.


Also, I don't seem to have the "peer x.x.x.x default" and "peer y.y.y.y" commands (the default one, which should imply that it supports peer backup).


This is using a dynamips emulated 1710: Cisco IOS Software, C1700 Software (C1710-BK9NO3R2SY-M), Version 12.4(25g), RELEASE SOFTWARE (fc1), but I think it's quite equivalent to the 877/887.


Anyone has any ideas on this?  Thanks in advance!





CreatePlease to create content