I'm suffering with this one, and when I think I got it, something else comes and stops me.
Customer has one ASA with ezvpn, and several branches, which connect using nem with 887/877 routers. The ASA also announces the connected router's networks via OSPF to the rest of the organization.
They asked me to replicate the ASA configuration on another central site (done), so a new set of routers (about 120) can connect to this new ASA. This is working fine as well.
Now, the tricky part: They need to have redundancy on every branch, but not on the branches, but on the central sites. Let me elaborate. They want a new router to be connected to ASA 2, and if ASA 2 (or its link) dies, automatically be connected do ASA 1. Of course, if ASA 2 recovers, the router should reconnect to ASA 2 and drop the ASA 1 connection. This should be extended to the actually connected routers, but that's easy once having the first setup done.
I have configured this on the Router, but it doesn't seem to work properly, since the ezvpn configuration only accepts one server per outside interface: x.x.x.x is the main ASA, y.y.y.y is the backup one
ip sla monitor 1 type echo protocol ipIcmpEcho x.x.x.x threshold 1000 frequency 6 ip sla monitor schedule 1 life forever start-time now track 123 rtr 1 reachability
crypto ipsec client ezvpn backup connect auto group <group> key <key> mode network-extension peer y.y.y.y username <username> password <password> xauth userid mode local
crypto ipsec client ezvpn main connect auto group <group> key <key> mode network-extension peer x.x.x.x username <username> password <password> xauth userid mode local backup backup track 123
My interfaces are e0 for inside, and f0 for outside:
interface Ethernet0 ip address 10.7.163.1 255.255.255.0 ip virtual-reassembly ip tcp adjust-mss 1452 half-duplex crypto ipsec client ezvpn main inside crypto ipsec client ezvpn backup inside ! interface FastEthernet0 ip address 192.168.137.2 255.255.255.0 ip mtu 1492 ip flow ingress ip virtual-reassembly speed auto crypto ipsec client ezvpn main
But if I drop the connection to the first ASA, the second connection won't come up, I assume because I don't have an interface with the client configuration define (although from what I can understand, the config should go from f0 uses "main", and "main" uses "backup" if it isn't working)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :