Re: VPN redundancy - suggestions?

jesper_petersen · ‎11-18-2010

Mjellow folks

As per the attached picture, do you have any suggestions how to make a redundant/failover capable VPN solution from the two 2821's to the ASA 5510?

I have been looking at the interface-specific command "crypto map XX redundancy XX", but as far as I can read it only applies to when the WAN side is also using HSRP. This setup does not use HSRP on its WAN due to a lack of available IP addresses. HSRP on the LAN have preempt enabled making the primary the "always-active".

As I see it i can do the following:

Setup regular (and identical) crypto maps in the two 2821 routers pointing to ASA5510 as their VPN peer.

Setup a command line in the ASA that looks something like this:

crypto map outside_map 9 set peer 1.2.3.170 1.2.3.171

Do you think this would be acceptable as a primitive redundant VPN setup?

Thank you in advance

-- Jesper R.

apothula · ‎11-18-2010

Hi Jesper,

Is there any layer 3 device behind the 2821's ??

If there is, we can have a plausible solution,

We shall have a VPN connection from both the 2821's to the 5510.

And on the layer 3 device behind the 2821's we can set up two routes to the private network at the ASA 5510 via the primary and the secondary 2821.

And we can use SLA monitoring to check out the status of the link and thus have redundancy to the VPN.

Let me know if that helps and if you have any queries about the same.

Cheers,

Nash.

jesper_petersen · ‎11-18-2010

Hello Nash

No, unfortunately there are only a couple of 2950 switches on the LAN side of the 2821's. I don't think that they will be of much use for your suggestion as they are not L3?

Thx

-- Jesper R.

apothula · ‎11-18-2010

Yeah, won't be of much use if they are not L3 !!

Could you let me know what sort of features you are using in your HSRP for your LAN side ?

May be we can work something out from there.

Cheers,

Nash.

jesper_petersen · ‎11-19-2010

Sure thing

Here are some elements that I think might help. Please note that most output is from the secondary router as the primary is being RMA'ed.

----- Interface config from primary router-----

interface GigabitEthernet0/0.1
description LAN
encapsulation dot1Q 16
ip address 192.168.9.124 255.255.255.128
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no snmp trap link-status
standby 16 ip 192.168.9.126
standby 16 priority 110
standby 16 preempt
!
interface GigabitEthernet0/0.2
description VoIP

encapsulation dot1Q 25
ip address 172.27.25.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no snmp trap link-status
standby 25 ip 172.27.25.1
standby 25 priority 110
standby 25 preempt
h323-gateway voip bind srcaddr 172.27.25.2
!

----OUTPUT FROM SECONDARY----------

interface GigabitEthernet0/0.1
description LAN

encapsulation dot1Q 16
ip address 192.168.9.125 255.255.255.128
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no snmp trap link-status
standby 16 ip 192.168.9.126
standby 16 priority 150
standby 16 preempt
end

!
interface GigabitEthernet0/0.2
description VoIP

encapsulation dot1Q 25
ip address 172.27.25.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no snmp trap link-status
standby 25 ip 172.27.25.1
standby 25 priority 150
standby 25 preempt
h323-gateway voip bind srcaddr 172.27.25.3
end

-------

SEC#sh standby
GigabitEthernet0/0.1 - Group 16
State is Active
    2 state changes, last state change 29w6d
Virtual IP address is 192.168.9.126
Active virtual MAC address is 0000.0c07.ac10
    Local virtual MAC address is 0000.0c07.ac10 (v1 default)
Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.376 secs
Preemption enabled
Active router is local
Standby router is unknown
Priority 150 (configured 150)
IP redundancy name is "hsrp-Gi0/0.1-16" (default)
GigabitEthernet0/0.2 - Group 25
State is Active
    2 state changes, last state change 29w6d
Virtual IP address is 172.27.25.1
Active virtual MAC address is 0000.0c07.ac19
    Local virtual MAC address is 0000.0c07.ac19 (v1 default)
Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.376 secs
Preemption enabled
Active router is local
Standby router is unknown
Priority 150 (configured 150)
IP redundancy name is "hsrp-Gi0/0.2-25" (default)

---------------------

Is there anything else that could be of use?

Thanks for you help and time.

-- Jesper

apothula · ‎11-19-2010

Hi Jesper,

I guess you must be using the virtual IP 192.168.9.126 as the gateway for your LAN.

If that is the case, HSRP will take care of which device (primary or backup 2821) to route the traffic through.

The basic idea still remains the same, we shall set up a VPN tunnel between each of the 2821's and the ASA 5510 and leave HSRP to provide the redundancy.

I think all we need to do is to set up a VPN tunnel between the two 2821's and the 5510.

Be advised, the Router with the higher priority configured becomes your primary.

Cheers,

Nash.