Redundant VPN on ASA

Discussion in 'Cisco' started by whatareyourmemes@hotmail.com, Jun 12, 2007.

  1. Guest

    I am attempting to setup a redundant VPN solution utilizing the ASA
    platform with the following layout.



    RMT-ASA - originate-only w/ two peers
    specified

    l

    CLOUD

    / \

    RTR1 RTR2 - two disparate ISP T1 links to
    the internet; primary and backup

    \ /

    HQASA - terminates L2L VPN with
    connection type "answer-only"

    l

    HQRTR

    l

    LAN



    My intention is to have the remote ASA (RMT-ASA) VPN connection
    failover to the backup interface connection if the primary ISP link
    fails - and then failback when it becomes available again.



    HQASA is configured with SLA tracking on the default route for the
    outside interface and a floating static for the backup interface. I
    have tested to the point that when the primary connection fails the
    VPN will shift to the backup connection without intervention.
    However, if the primary link comes up the VPN will not "failback" and
    because the SLA tracking on HQASA reinstates the "outside" interface
    as the default route I lose all VPN connectivity. The remote ASA
    seems to keep wanting to stick with the backup link as it continues to
    try to connect with that peer IP.



    Am I approaching this in the right way? First time working with ASA's.
     
    , Jun 12, 2007
    #1
    1. Advertising

  2. Scott Perry Guest

    The Cisco ASA supports OSPF.

    I suggest enabling OSPF between the ASA and the two Internet routers.
    Configure the OSPF cost to the primary and secondary routers to give
    preference as to which router should be used. In this setup, the primary
    router will stop its advertisements when it either fails or loses its
    Internet connection and the ASA will dynamically adjust to use the secondary
    router. When the primary router returns to normal operation and advertises
    the Internet route again with its preferred cost, the ASA will dynamically
    adjust back to using the primary router.

    ===========
    Scott Perry
    ===========
    Indianapolis, Indiana
    ________________________________________

    <> wrote in message
    news:...
    >I am attempting to setup a redundant VPN solution utilizing the ASA
    > platform with the following layout.
    >
    >
    >
    > RMT-ASA - originate-only w/ two peers
    > specified
    >
    > l
    >
    > CLOUD
    >
    > / \
    >
    > RTR1 RTR2 - two disparate ISP T1 links to
    > the internet; primary and backup
    >
    > \ /
    >
    > HQASA - terminates L2L VPN with
    > connection type "answer-only"
    >
    > l
    >
    > HQRTR
    >
    > l
    >
    > LAN
    >
    >
    >
    > My intention is to have the remote ASA (RMT-ASA) VPN connection
    > failover to the backup interface connection if the primary ISP link
    > fails - and then failback when it becomes available again.
    >
    >
    >
    > HQASA is configured with SLA tracking on the default route for the
    > outside interface and a floating static for the backup interface. I
    > have tested to the point that when the primary connection fails the
    > VPN will shift to the backup connection without intervention.
    > However, if the primary link comes up the VPN will not "failback" and
    > because the SLA tracking on HQASA reinstates the "outside" interface
    > as the default route I lose all VPN connectivity. The remote ASA
    > seems to keep wanting to stick with the backup link as it continues to
    > try to connect with that peer IP.
    >
    >
    >
    > Am I approaching this in the right way? First time working with ASA's.
    >
     
    Scott Perry, Jun 12, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. al

    Redundant VPN

    al, Feb 7, 2004, in forum: Cisco
    Replies:
    3
    Views:
    2,453
  2. Stuart Kendrick

    redundant switches / redundant server NICs

    Stuart Kendrick, Aug 9, 2004, in forum: Cisco
    Replies:
    4
    Views:
    4,536
    Stuart Kendrick
    Aug 10, 2004
  3. Nick Your Company Computer Guy

    ASA 5520 Redundant Links Inbound/Outbound

    Nick Your Company Computer Guy, Mar 29, 2007, in forum: Cisco
    Replies:
    7
    Views:
    1,684
    Brian V
    Apr 4, 2007
  4. Replies:
    1
    Views:
    3,458
  5. Replies:
    0
    Views:
    528
Loading...

Share This Page