Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How do I configure redundant VPN tunnels to multiple sites?

Posted on 2008-10-15
6
7,911 Views
Last Modified: 2012-05-05
I am setting up network infrastructure in two sites in different countries.
Both have 2 ISPs.
Both require remote access VPNs.

One the ASA in both sites I have setup 2 outside interfaces and 1 inside interface.
I have a tracked default route to decide which link is active.
This all seems to work ok.

I now want to introduce a site-to-site VPN.
All the lines between the ASAs indicate possbile site to site VPNs.

                                           10.10.10.1
                                                  |
                                              192.168.1.1
                                                    |
      100.100.100.1 -------------- ASA 1---------------100.100.200.1
                |           \                                               /             |
                |                  \                               /                      |
                |                          \                 /                            |
                |                                 \  /                                     |
                |                          /                \                             |
                |                 /                                   \                    |
      200.200.100.1   ------------ ASA 2 ----------      200.200.200.1
                                                     |
                                            192.169.2.0

Current config below. I don't think I'm on the right track here...
I know there are redundant configs in there, I haven't got around to cleaning the config up, desparately trying to get this working.

This worked for a time and the stopped working.
In the logs I saw the following.
When both ASA were using their primary ISPs
100.100.100.1
200.200.100.1
Then the Tunnel gave the following message on ASA 2
5      Oct 15 2008      13:26:22      713041                   IP = 100.100.100.1, IKE Initiator: New Phase 1, Intf outsideSDSL, IKE Peer 100.100.100.1  local Proxy Address 200.200.200.1, remote Proxy Address 100.100.100.1,  Crypto map (OutsideSDSL_map)
6      Oct 15 2008      13:26:22      110003                   Routing failed to locate next hop for udp from NP Identity Ifc:200.200.200.1/62465 to outsideSDSL:100.100.100.1/62465
Which make sense as the route for 200.200.200.1 is not active, why would it chose that interface to use when the route is not active.
Is there another way to do this?

Many thanks!
ASA 1
 
: Saved
:
ASA Version 7.2(1)
!
hostname cisco
domain-name xxx.local
enable password xxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.2 255.255.255.0
!
interface Vlan2
 nameif outsideICE
 security-level 0
 ip address 100.100.200.1 255.255.255.0
!
interface Vlan12
 nameif OutsideEricom
 security-level 0
 ip address 100.100.100.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/6
 switchport access vlan 12
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/7
 switchport access vlan 12
 no nameif
 no security-level
 no ip address
!
passwd xxxU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name xxx
same-security-traffic permit intra-interface
object-group service Filezilla tcp
 port-object range 10000 10000
access-list OutsideEricom_access_out extended permit ip any any
access-list OutsideEricom_access_in extended permit tcp any host 100.100.100.5 eq pptp
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit ip 10.10.0.0 255.255.0.0 any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.176 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.1.176 255.255.255.248
access-list CompanyEircom_splitTunnelAcl_1 standard permit 10.10.0.0 255.255.0.0
access-list CompanyEircom_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
access-list CompanyEircom_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
access-list outsideICE_access_out extended permit ip any any
access-list CompanyICE_splitTunnelAcl_1 standard permit 10.10.0.0 255.255.0.0
access-list CompanyICE_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
access-list CompanyICE_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
access-list nonatvpn extended permit ip any 192.168.1.0 255.255.255.0
access-list nonatvpn extended permit ip any 10.10.0.0 255.255.0.0
access-list nonatvpn extended permit ip any 192.168.2.0 255.255.255.0
access-list nonatvpn extended permit ip any 192.168.3.0 255.255.255.0
access-list nonatvpn extended permit ip any 192.168.4.0 255.255.255.0
access-list TulltoLon extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list TulltoLon extended permit ip 10.10.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list TulltoLon extended permit ip 192.168.4.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging from-address xxx
logging recipient-address xxx level errors
logging facility 22
logging device-id ipaddress inside
logging host inside 192.168.1.90
mtu inside 1500
mtu outsideICE 1500
mtu OutsideEricom 1500
ip local pool VPNpool 192.168.1.176-192.168.1.200 mask 255.255.255.0
ip local pool TullVPNPool 192.168.4.100-192.168.4.200 mask 255.255.255.0
no failover
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (outsideICE) 1 interface
global (OutsideEricom) 1 interface
nat (inside) 0 access-list nonatvpn
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,OutsideEricom) 100.100.100.5 192.168.1.1 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outsideICE_access_out out interface outsideICE
access-group OutsideEricom_access_in in interface OutsideEricom
access-group OutsideEricom_access_out out interface OutsideEricom
route OutsideEricom 0.0.0.0 0.0.0.0 100.100.100.254 2 track 2
route inside 10.10.0.0 255.255.0.0 192.168.1.10 1
route outsideICE 0.0.0.0 0.0.0.0 100.100.200.254 11
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 1:00:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server CompanyAD protocol ldap
aaa-server CompanyAD host 192.168.1.1
 ldap-base-dn DC=Company,DC=local
 ldap-scope subtree
 ldap-naming-attribute samAccountName
 ldap-login-password xxxx
 ldap-login-dn CN=Administrator,CN=Users,DC=Company,DC=local
 server-type microsoft
aaa-server cisco protocol ldap
aaa-server cisco host 192.168.1.1
 ldap-base-dn OU=Company Users,DC=Company,DC=local
 ldap-scope subtree
 ldap-naming-attribute samAccountName
 ldap-login-password xxx
 ldap-login-dn CN=Administrator,CN=users,DC=Company,DC=local
 server-type microsoft
group-policy CompanyEircom internal
group-policy CompanyEircom attributes
 dns-server value 192.168.1.1 192.168.1.5
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CompanyEircom_splitTunnelAcl_1
 default-domain value Company.local
group-policy CompanyICE internal
group-policy CompanyICE attributes
 dns-server value 192.168.1.1 192.168.1.5
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CompanyICE_splitTunnelAcl_1
 default-domain value Company.local
http server enable
http 192.168.4.0 255.255.255.0 outsideICE
http 192.168.4.0 255.255.255.0 OutsideEricom
http 192.168.3.0 255.255.255.0 OutsideEricom
http 192.168.3.0 255.255.255.0 outsideICE
http 192.168.2.0 255.255.255.0 outsideICE
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 OutsideEricom
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 2
 type echo protocol ipIcmpEcho 1.1.1.1 interface OutsideEricom
sla monitor schedule 2 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TulltoLon esp-3des esp-sha-hmac
crypto dynamic-map OutsideEricom_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map OutsideEricom_map 10 match address TulltoLon
crypto map OutsideEricom_map 10 set connection-type answer-only
crypto map OutsideEricom_map 10 set peer 200.200.100.1
crypto map OutsideEricom_map 10 set transform-set TulltoLon
crypto map OutsideEricom_map 30 match address TulltoLon
crypto map OutsideEricom_map 30 set connection-type answer-only
crypto map OutsideEricom_map 30 set peer 200.200.200.1
crypto map OutsideEricom_map 30 set transform-set TulltoLon
crypto map OutsideEricom_map 5000 ipsec-isakmp dynamic OutsideEricom_dyn_map
crypto map OutsideEricom_map interface OutsideEricom
crypto isakmp enable outsideICE
crypto isakmp enable OutsideEricom
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
track 2 rtr 2 reachability
tunnel-group CompanyEircom type ipsec-ra
tunnel-group CompanyEircom general-attributes
 address-pool VPNpool
 authentication-server-group CompanyAD
 default-group-policy CompanyEircom
tunnel-group CompanyEircom ipsec-attributes
 pre-shared-key *
tunnel-group CompanyICE type ipsec-ra
tunnel-group CompanyICE general-attributes
 address-pool VPNpool
 authentication-server-group CompanyAD
 default-group-policy CompanyICE
tunnel-group CompanyICE ipsec-attributes
 pre-shared-key *
tunnel-group 200.200.100.1 type ipsec-l2l
tunnel-group 200.200.100.1 ipsec-attributes
 pre-shared-key *
tunnel-group 200.200.200.1 type ipsec-l2l
tunnel-group 200.200.200.1 ipsec-attributes
 pre-shared-key *
tunnel-group xxxVPN type ipsec-ra
tunnel-group xxxVPN general-attributes
 address-pool TullVPNPool
 authentication-server-group CompanyAD
 default-group-policy CompanyEircom
tunnel-group xxxVPN ipsec-attributes
 pre-shared-key *
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 outsideICE
telnet 192.168.4.0 255.255.255.0 outsideICE
telnet 192.168.3.0 255.255.255.0 outsideICE
telnet 192.168.2.0 255.255.255.0 OutsideEricom
telnet 192.168.4.0 255.255.255.0 OutsideEricom
telnet 192.168.3.0 255.255.255.0 OutsideEricom
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outsideICE
!
dhcpd dns xx.xx.xx.xx interface inside
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect icmp error
  inspect pptp
!
service-policy global_policy global
smtp-server 192.168.1.5
prompt hostname context
Cryptochecksum:d0431b377933e872433a2f9f90049dab
: end
 
ASA 2
 
:
ASA Version 7.2(3)
!
hostname xxx
domain-name Company.com
enable password NSIJu5hcxOgOrdh7 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
 nameif outsideSDSL
 security-level 0
 ip address 200.200.200.1 255.255.255.248
!
interface Vlan12
 nameif OutsideDSL
 security-level 0
 ip address 200.200.100.1 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
 switchport access vlan 12
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name Company.com
same-security-traffic permit intra-interface
object-group service tomcat tcp
 port-object range https https
 port-object range www www
 port-object range 8080 8082
 port-object range 8443 8445
 port-object range 8453 8455
access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 any
access-list OutsideDSL_access_out extended permit ip any any
access-list outsideSDSL_access_out extended permit ip any any
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list CompanyLonDSL_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list CompanyLonDSL_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list CompanyLonDSL_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0
access-list nonatvpn extended permit ip any 192.168.2.0 255.255.255.0
access-list nonatvpn extended permit ip any 192.168.1.0 255.255.255.0
access-list nonatvpn extended permit ip any 192.168.3.0 255.255.255.0
access-list nonatvpn extended permit ip any 10.10.0.0 255.255.0.0
access-list nonatvpn extended permit ip any 192.168.4.0 255.255.255.0
access-list LontoTull extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list LontoTull extended permit ip 192.168.2.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list LontoTull extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list LontoTull extended permit ip 192.168.3.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list OutsideDSL_access_in extended permit tcp any host 200.200.100.5 object-group tomcat
access-list OutsideDSL_access_in extended permit tcp any host 200.200.100.6 object-group tomcat
access-list OutsideDSL_access_in remark Rule to allow http to 2.200
access-list OutsideDSL_access_in extended permit tcp any interface OutsideDSL eq www
access-list OutsideDSL_access_in remark Rule to allow traffic to auth on 2.185 po 15000
access-list OutsideDSL_access_in extended permit tcp any interface OutsideDSL eq 15000
access-list OutsideDSL_access_in remark Rule to allow traffic to https on 2.12
access-list OutsideDSL_access_in extended permit tcp any interface OutsideDSL eq https
access-list OutsideDSL_access_in remark Rule to allow traffic to ftp on 2.20
access-list OutsideDSL_access_in extended permit tcp any interface OutsideDSL eq ftp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outsideSDSL 1500
mtu OutsideDSL 1500
ip local pool pool_201_219 192.168.2.201-192.168.2.219 mask 255.255.255.0
ip local pool LonVPNPool 192.168.3.100-192.168.3.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (outsideSDSL) 1 interface
global (OutsideDSL) 1 interface
nat (inside) 0 access-list nonatvpn
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,OutsideDSL) tcp interface www 192.168.2.200 www netmask 255.255.255.255
static (inside,OutsideDSL) tcp interface 15000 192.168.2.185 15000 netmask 255.255.255.255
static (inside,OutsideDSL) tcp interface https 192.168.2.12 https netmask 255.255.255.255
static (inside,OutsideDSL) tcp interface ftp 192.168.2.20 ftp netmask 255.255.255.255
static (inside,OutsideDSL) 200.200.100.5 192.168.2.38 netmask 255.255.255.255
static (inside,OutsideDSL) 200.200.100.6 192.168.2.52 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outsideSDSL_access_out out interface outsideSDSL
access-group OutsideDSL_access_in in interface OutsideDSL
access-group OutsideDSL_access_out out interface OutsideDSL
route OutsideDSL 0.0.0.0 0.0.0.0 200.200.100.254 1 track 1
route outsideSDSL 0.0.0.0 0.0.0.0 200.200.200.254 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 1:00:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.4.0 255.255.255.0 OutsideDSL
http 192.168.4.0 255.255.255.0 outsideSDSL
http 192.168.1.0 255.255.255.0 OutsideDSL
http 192.168.1.0 255.255.255.0 outsideSDSL
http 192.168.3.0 255.255.255.0 outsideSDSL
http 192.168.3.0 255.255.255.0 OutsideDSL
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
 type echo protocol ipIcmpEcho 208.67.222.222 interface OutsideDSL
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set LontoTull esp-3des esp-sha-hmac
crypto dynamic-map OutsideDSL_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map OutsideSDSL_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map dyn_map 20 set reverse-route
crypto map OutsideDSL_map 10 match address LontoTull
crypto map OutsideDSL_map 10 set connection-type originate-only
crypto map OutsideDSL_map 10 set peer 100.100.100.1 100.100.200.1
crypto map OutsideDSL_map 10 set transform-set LontoTull
crypto map OutsideDSL_map 20 ipsec-isakmp dynamic OutsideDSL_dyn_map
crypto map OutsideDSL_map interface OutsideDSL
crypto map OutsideSDSL_map 10 match address LontoTull
crypto map OutsideSDSL_map 10 set connection-type originate-only
crypto map OutsideSDSL_map 10 set peer 100.100.100.1 100.100.200.1
crypto map OutsideSDSL_map 10 set transform-set LontoTull
crypto map OutsideSDSL_map 20 ipsec-isakmp dynamic OutsideSDSL_dyn_map
crypto map OutsideSDSL_map interface outsideSDSL
crypto isakmp enable OutsideDSL
crypto isakmp enable outsideSDSL
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 1 reachability
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 outsideSDSL
telnet 192.168.3.0 255.255.255.0 outsideSDSL
telnet 192.168.4.0 255.255.255.0 outsideSDSL
telnet 192.168.1.0 255.255.255.0 OutsideDSL
telnet 192.168.3.0 255.255.255.0 OutsideDSL
telnet 192.168.4.0 255.255.255.0 OutsideDSL
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outsideSDSL
!
 
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect dns
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect icmp
  inspect icmp error
  inspect netbios
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect snmp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect waas
  inspect xdmcp
!
service-policy global-policy global
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.2.200
 vpn-tunnel-protocol l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value Company.com
group-policy CompanyLonDSL internal
group-policy CompanyLonDSL attributes
 dns-server value 192.168.2.200
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CompanyLonDSL_splitTunnelAcl
 default-domain value Company.com
username xxx password xxx encrypted privilege 0
tunnel-group DefaultRAGroup general-attributes
 address-pool pool_201_219
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group CompanyLonDSL type ipsec-ra
tunnel-group CompanyLonDSL general-attributes
 address-pool LonVPNPool
 default-group-policy CompanyLonDSL
tunnel-group CompanyLonDSL ipsec-attributes
 pre-shared-key *
tunnel-group 100.100.100.1 type ipsec-l2l
tunnel-group 100.100.100.1 ipsec-attributes
 pre-shared-key *
tunnel-group 100.100.200.1 type ipsec-l2l
tunnel-group 100.100.200.1 ipsec-attributes
 pre-shared-key *
tunnel-group xxxVPN type ipsec-ra
tunnel-group xxxVPN general-attributes
 address-pool LonVPNPool
 default-group-policy CompanyLonDSL
tunnel-group xxxVPN ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:c5911e7fe6c4c9f73cf4832c05c34865
: end

Open in new window

0
Comment
Question by:shakel_ie
  • 2
  • 2
  • 2
6 Comments
 
LVL 2

Expert Comment

by:olivierbreuer
ID: 22721967
Hello,

(please open my small drawing)

I have changed the IP addres you have defined in your example by explicit letters, to avoid confusion.

ASA1 has 2 internet access - Access A and C
ASA 2 has also 2 internet Acces - Access B and D

The best way to have a reliable, easy configuration solution is to create 2static routes with a /32 mask.

On asa 1  create a static route to access to B using interface A and to access to D use interface C
On asa2 do the opposite.
So you have 2 specific, static paths to access your other firewall using internet.

After that, you just have to create 2 VPN site to site tunnels, this will guarantee you redundancy and this also minmize complexity so, easy troubleshooting when problem occurs.

Having 4 differents tunnels will strongly increase the complexity of your solution and, for my point of view, will not add extra redundancy.

Don't forget that, if, after your complex configuration you are stuck during a week or more and you are not able to let your employees working because of this kind of problem, you will loose a lot of money.

That's, for me the easiest, safiest way to create redundacy between your firewalls.

Hope that you have understood my opinion. If you want more explanations on this I will be pleased to help you out.

Regards,

Olivier

Image-5.png
0
 

Author Comment

by:shakel_ie
ID: 22722162
Hi Olivier,

Thanks for the response. I will try this out.
Just a few questions on this:
1. If I happen to lose ISP A and ISP D then I will have no tunnel right?
2. Are both tunnels up at all times in normal operating conditions?
3. Can I prioritise one tunnel over the other?
4. Can I know what tunnel is being used for traffic?

Many thanks.
Shane
0
 
LVL 2

Assisted Solution

by:olivierbreuer
olivierbreuer earned 500 total points
ID: 22722298
Answers:

1. If you loose the ISP A and the ISP D at the same time, you will not have tunnels anymore.
2. Both tunnels are up at all times in normal operationg conditions.
3. I don't think so.
4. Yes, using real-time network traffic.

You can also check this usefull ressource:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Regards,

Olivier
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 

Accepted Solution

by:
shakel_ie earned 0 total points
ID: 22723168
Hi Olivier,

Many thanks.

I have tested that and it does work. But as stated if I loose ISP a and ISP D then I loose all tunnels.
I will post the updated, cleaned up config in the coming days for future reference.

Regards,
Shane
0
 

Expert Comment

by:cavacamite
ID: 24483799
Hello,
In the firewall configuration there are two crypto maps for each outside interface. Is that necessary or can you apply the same map to both the primary and secondary interfaces?
Thank you.
0
 

Expert Comment

by:cavacamite
ID: 24483982
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question