The Cisco ASA supports OSPF.
I suggest enabling OSPF between the ASA and the two Internet routers.
Configure the OSPF cost to the primary and secondary routers to give
preference as to which router should be used. In this setup, the primary
router will stop its advertisements when it either fails or loses its
Internet connection and the ASA will dynamically adjust to use the secondary
router. When the primary router returns to normal operation and advertises
the Internet route again with its preferred cost, the ASA will dynamically
adjust back to using the primary router.
===========
Scott Perry
===========
Indianapolis, Indiana
________________________________________
<> wrote in message
news: oups.com...
>I am attempting to setup a redundant VPN solution utilizing the ASA
> platform with the following layout.
>
>
>
> RMT-ASA - originate-only w/ two peers
> specified
>
> l
>
> CLOUD
>
> / \
>
> RTR1 RTR2 - two disparate ISP T1 links to
> the internet; primary and backup
>
> \ /
>
> HQASA - terminates L2L VPN with
> connection type "answer-only"
>
> l
>
> HQRTR
>
> l
>
> LAN
>
>
>
> My intention is to have the remote ASA (RMT-ASA) VPN connection
> failover to the backup interface connection if the primary ISP link
> fails - and then failback when it becomes available again.
>
>
>
> HQASA is configured with SLA tracking on the default route for the
> outside interface and a floating static for the backup interface. I
> have tested to the point that when the primary connection fails the
> VPN will shift to the backup connection without intervention.
> However, if the primary link comes up the VPN will not "failback" and
> because the SLA tracking on HQASA reinstates the "outside" interface
> as the default route I lose all VPN connectivity. The remote ASA
> seems to keep wanting to stick with the backup link as it continues to
> try to connect with that peer IP.
>
>
>
> Am I approaching this in the right way? First time working with ASA's.
>
|
Similar Threads
