Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dual ISP Support Using Static Route Tracking + VPN

I am following this configuration guide for dual ISP support on an ASA 5505 and I have a few questions( http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html#wp1057935 ).

1.) If the primary ISP fails, the default route gets removed and the alternate/backup route gets used.  When the primary ISP becomes available, does the primary route fail back or take over from the backup ISP?  There is no tracking on the backup route, at least not in the example below.

route backupisp 0.0.0.0 0.0.0.0 172.16.2.1 254
! The above route is a floating static route that is added to the
! routing table when the tracked route is removed.

2.) I have a VPN tunnel to another site.  Will I need to create a second VPN tunnel for the backup connection/route or can I just apply the original crypto map to the backupisp?

3.) What image/ADSM will be required to achieve this goal?

2 REPLIES
Cisco Employee

Re: Dual ISP Support Using Static Route Tracking + VPN

Regarding question 1, the primary route will take over when the primary link comes back up.  This is because the primary default route has an Admin Distance of 1 and the backup has an Admin Distance of 254.  So whenever the primary is up, it will use this one.

I'll let someone else comment on question 2 and 3

-Kathy

New Member

Re: Dual ISP Support Using Static Route Tracking + VPN

For question 2: In Theory you can use the same crypto Map on the other interface. Routing will be checked first and then crypto map so this should be ok

Also on the other side you will have to add another peer statement pointing to the secondary interface here.

For question 3: Any ASA version 8.x or later and ASDM 6.x or later should work fine. The newer the better. Please check CCO software download section to get the latest one.

Manish

548
Views
0
Helpful
2
Replies