Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Redundant VPN on ASA (http://www.velocityreviews.com/forums/t513902-redundant-vpn-on-asa.html)

whatareyourmemes@hotmail.com 06-12-2007 03:09 AM

Redundant VPN on ASA
 
I am attempting to setup a redundant VPN solution utilizing the ASA
platform with the following layout.



RMT-ASA - originate-only w/ two peers
specified

l

CLOUD

/ \

RTR1 RTR2 - two disparate ISP T1 links to
the internet; primary and backup

\ /

HQASA - terminates L2L VPN with
connection type "answer-only"

l

HQRTR

l

LAN



My intention is to have the remote ASA (RMT-ASA) VPN connection
failover to the backup interface connection if the primary ISP link
fails - and then failback when it becomes available again.



HQASA is configured with SLA tracking on the default route for the
outside interface and a floating static for the backup interface. I
have tested to the point that when the primary connection fails the
VPN will shift to the backup connection without intervention.
However, if the primary link comes up the VPN will not "failback" and
because the SLA tracking on HQASA reinstates the "outside" interface
as the default route I lose all VPN connectivity. The remote ASA
seems to keep wanting to stick with the backup link as it continues to
try to connect with that peer IP.



Am I approaching this in the right way? First time working with ASA's.


Scott Perry 06-12-2007 12:32 PM

Re: Redundant VPN on ASA
 
The Cisco ASA supports OSPF.

I suggest enabling OSPF between the ASA and the two Internet routers.
Configure the OSPF cost to the primary and secondary routers to give
preference as to which router should be used. In this setup, the primary
router will stop its advertisements when it either fails or loses its
Internet connection and the ASA will dynamically adjust to use the secondary
router. When the primary router returns to normal operation and advertises
the Internet route again with its preferred cost, the ASA will dynamically
adjust back to using the primary router.

===========
Scott Perry
===========
Indianapolis, Indiana
________________________________________

<whatareyourmemes@hotmail.com> wrote in message
news:1181617777.208091.146630@n15g2000prd.googlegr oups.com...
>I am attempting to setup a redundant VPN solution utilizing the ASA
> platform with the following layout.
>
>
>
> RMT-ASA - originate-only w/ two peers
> specified
>
> l
>
> CLOUD
>
> / \
>
> RTR1 RTR2 - two disparate ISP T1 links to
> the internet; primary and backup
>
> \ /
>
> HQASA - terminates L2L VPN with
> connection type "answer-only"
>
> l
>
> HQRTR
>
> l
>
> LAN
>
>
>
> My intention is to have the remote ASA (RMT-ASA) VPN connection
> failover to the backup interface connection if the primary ISP link
> fails - and then failback when it becomes available again.
>
>
>
> HQASA is configured with SLA tracking on the default route for the
> outside interface and a floating static for the backup interface. I
> have tested to the point that when the primary connection fails the
> VPN will shift to the backup connection without intervention.
> However, if the primary link comes up the VPN will not "failback" and
> because the SLA tracking on HQASA reinstates the "outside" interface
> as the default route I lose all VPN connectivity. The remote ASA
> seems to keep wanting to stick with the backup link as it continues to
> try to connect with that peer IP.
>
>
>
> Am I approaching this in the right way? First time working with ASA's.
>





All times are GMT. The time now is 11:03 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.