Solved

How do I configure redundant VPN tunnels to multiple sites?

Posted on 2008-10-15
6
7,888 Views
Last Modified: 2012-05-05
I am setting up network infrastructure in two sites in different countries.
Both have 2 ISPs.
Both require remote access VPNs.

One the ASA in both sites I have setup 2 outside interfaces and 1 inside interface.
I have a tracked default route to decide which link is active.
This all seems to work ok.

I now want to introduce a site-to-site VPN.
All the lines between the ASAs indicate possbile site to site VPNs.

                                           10.10.10.1
                                                  |
                                              192.168.1.1
                                                    |
      100.100.100.1 -------------- ASA 1---------------100.100.200.1
                |           \                                               /             |
                |                  \                               /                      |
                |                          \                 /                            |
                |                                 \  /                                     |
                |                          /                \                             |
                |                 /                                   \                    |
      200.200.100.1   ------------ ASA 2 ----------      200.200.200.1
                                                     |
                                            192.169.2.0

Current config below. I don't think I'm on the right track here...
I know there are redundant configs in there, I haven't got around to cleaning the config up, desparately trying to get this working.

This worked for a time and the stopped working.
In the logs I saw the following.
When both ASA were using their primary ISPs
100.100.100.1
200.200.100.1
Then the Tunnel gave the following message on ASA 2
5      Oct 15 2008      13:26:22      713041                   IP = 100.100.100.1, IKE Initiator: New Phase 1, Intf outsideSDSL, IKE Peer 100.100.100.1  local Proxy Address 200.200.200.1, remote Proxy Address 100.100.100.1,  Crypto map (OutsideSDSL_map)
6      Oct 15 2008      13:26:22      110003                   Routing failed to locate next hop for udp from NP Identity Ifc:200.200.200.1/62465 to outsideSDSL:100.100.100.1/62465
Which make sense as the route for 200.200.200.1 is not active, why would it chose that interface to use when the route is not active.
Is there another way to do this?

Many thanks!
ASA 1
 

: Saved

:

ASA Version 7.2(1)

!

hostname cisco

domain-name xxx.local

enable password xxx encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.2 255.255.255.0

!

interface Vlan2

 nameif outsideICE

 security-level 0

 ip address 100.100.200.1 255.255.255.0

!

interface Vlan12

 nameif OutsideEricom

 security-level 0

 ip address 100.100.100.1 255.255.255.0

!

interface Ethernet0/0

 switchport access vlan 2

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/1

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/2

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/4

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/5

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/6

 switchport access vlan 12

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/7

 switchport access vlan 12

 no nameif

 no security-level

 no ip address

!

passwd xxxU encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name xxx

same-security-traffic permit intra-interface

object-group service Filezilla tcp

 port-object range 10000 10000

access-list OutsideEricom_access_out extended permit ip any any

access-list OutsideEricom_access_in extended permit tcp any host 100.100.100.5 eq pptp

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any

access-list inside_access_in extended permit ip 10.10.0.0 255.255.0.0 any

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.176 255.255.255.248

access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.1.176 255.255.255.248

access-list CompanyEircom_splitTunnelAcl_1 standard permit 10.10.0.0 255.255.0.0

access-list CompanyEircom_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0

access-list CompanyEircom_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0

access-list outsideICE_access_out extended permit ip any any

access-list CompanyICE_splitTunnelAcl_1 standard permit 10.10.0.0 255.255.0.0

access-list CompanyICE_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0

access-list CompanyICE_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0

access-list nonatvpn extended permit ip any 192.168.1.0 255.255.255.0

access-list nonatvpn extended permit ip any 10.10.0.0 255.255.0.0

access-list nonatvpn extended permit ip any 192.168.2.0 255.255.255.0

access-list nonatvpn extended permit ip any 192.168.3.0 255.255.255.0

access-list nonatvpn extended permit ip any 192.168.4.0 255.255.255.0

access-list TulltoLon extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list TulltoLon extended permit ip 10.10.0.0 255.255.0.0 192.168.2.0 255.255.255.0

access-list TulltoLon extended permit ip 192.168.4.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

logging enable

logging trap debugging

logging asdm informational

logging from-address xxx

logging recipient-address xxx level errors

logging facility 22

logging device-id ipaddress inside

logging host inside 192.168.1.90

mtu inside 1500

mtu outsideICE 1500

mtu OutsideEricom 1500

ip local pool VPNpool 192.168.1.176-192.168.1.200 mask 255.255.255.0

ip local pool TullVPNPool 192.168.4.100-192.168.4.200 mask 255.255.255.0

no failover

asdm image disk0:/asdm521.bin

no asdm history enable

arp timeout 14400

global (outsideICE) 1 interface

global (OutsideEricom) 1 interface

nat (inside) 0 access-list nonatvpn

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,OutsideEricom) 100.100.100.5 192.168.1.1 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outsideICE_access_out out interface outsideICE

access-group OutsideEricom_access_in in interface OutsideEricom

access-group OutsideEricom_access_out out interface OutsideEricom

route OutsideEricom 0.0.0.0 0.0.0.0 100.100.100.254 2 track 2

route inside 10.10.0.0 255.255.0.0 192.168.1.10 1

route outsideICE 0.0.0.0 0.0.0.0 100.100.200.254 11

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 1:00:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server CompanyAD protocol ldap

aaa-server CompanyAD host 192.168.1.1

 ldap-base-dn DC=Company,DC=local

 ldap-scope subtree

 ldap-naming-attribute samAccountName

 ldap-login-password xxxx

 ldap-login-dn CN=Administrator,CN=Users,DC=Company,DC=local

 server-type microsoft

aaa-server cisco protocol ldap

aaa-server cisco host 192.168.1.1

 ldap-base-dn OU=Company Users,DC=Company,DC=local

 ldap-scope subtree

 ldap-naming-attribute samAccountName

 ldap-login-password xxx

 ldap-login-dn CN=Administrator,CN=users,DC=Company,DC=local

 server-type microsoft

group-policy CompanyEircom internal

group-policy CompanyEircom attributes

 dns-server value 192.168.1.1 192.168.1.5

 vpn-tunnel-protocol IPSec

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value CompanyEircom_splitTunnelAcl_1

 default-domain value Company.local

group-policy CompanyICE internal

group-policy CompanyICE attributes

 dns-server value 192.168.1.1 192.168.1.5

 vpn-tunnel-protocol IPSec

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value CompanyICE_splitTunnelAcl_1

 default-domain value Company.local

http server enable

http 192.168.4.0 255.255.255.0 outsideICE

http 192.168.4.0 255.255.255.0 OutsideEricom

http 192.168.3.0 255.255.255.0 OutsideEricom

http 192.168.3.0 255.255.255.0 outsideICE

http 192.168.2.0 255.255.255.0 outsideICE

http 192.168.1.0 255.255.255.0 inside

http 192.168.2.0 255.255.255.0 OutsideEricom

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 2

 type echo protocol ipIcmpEcho 1.1.1.1 interface OutsideEricom

sla monitor schedule 2 life forever start-time now

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TulltoLon esp-3des esp-sha-hmac

crypto dynamic-map OutsideEricom_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map OutsideEricom_map 10 match address TulltoLon

crypto map OutsideEricom_map 10 set connection-type answer-only

crypto map OutsideEricom_map 10 set peer 200.200.100.1

crypto map OutsideEricom_map 10 set transform-set TulltoLon

crypto map OutsideEricom_map 30 match address TulltoLon

crypto map OutsideEricom_map 30 set connection-type answer-only

crypto map OutsideEricom_map 30 set peer 200.200.200.1

crypto map OutsideEricom_map 30 set transform-set TulltoLon

crypto map OutsideEricom_map 5000 ipsec-isakmp dynamic OutsideEricom_dyn_map

crypto map OutsideEricom_map interface OutsideEricom

crypto isakmp enable outsideICE

crypto isakmp enable OutsideEricom

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

!

track 2 rtr 2 reachability

tunnel-group CompanyEircom type ipsec-ra

tunnel-group CompanyEircom general-attributes

 address-pool VPNpool

 authentication-server-group CompanyAD

 default-group-policy CompanyEircom

tunnel-group CompanyEircom ipsec-attributes

 pre-shared-key *

tunnel-group CompanyICE type ipsec-ra

tunnel-group CompanyICE general-attributes

 address-pool VPNpool

 authentication-server-group CompanyAD

 default-group-policy CompanyICE

tunnel-group CompanyICE ipsec-attributes

 pre-shared-key *

tunnel-group 200.200.100.1 type ipsec-l2l

tunnel-group 200.200.100.1 ipsec-attributes

 pre-shared-key *

tunnel-group 200.200.200.1 type ipsec-l2l

tunnel-group 200.200.200.1 ipsec-attributes

 pre-shared-key *

tunnel-group xxxVPN type ipsec-ra

tunnel-group xxxVPN general-attributes

 address-pool TullVPNPool

 authentication-server-group CompanyAD

 default-group-policy CompanyEircom

tunnel-group xxxVPN ipsec-attributes

 pre-shared-key *

telnet 192.168.1.0 255.255.255.0 inside

telnet 192.168.2.0 255.255.255.0 outsideICE

telnet 192.168.4.0 255.255.255.0 outsideICE

telnet 192.168.3.0 255.255.255.0 outsideICE

telnet 192.168.2.0 255.255.255.0 OutsideEricom

telnet 192.168.4.0 255.255.255.0 OutsideEricom

telnet 192.168.3.0 255.255.255.0 OutsideEricom

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outsideICE

!

dhcpd dns xx.xx.xx.xx interface inside

!
 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect icmp error

  inspect pptp

!

service-policy global_policy global

smtp-server 192.168.1.5

prompt hostname context

Cryptochecksum:d0431b377933e872433a2f9f90049dab

: end
 

ASA 2
 

:

ASA Version 7.2(3)

!

hostname xxx

domain-name Company.com

enable password NSIJu5hcxOgOrdh7 encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

 nameif outsideSDSL

 security-level 0

 ip address 200.200.200.1 255.255.255.248

!

interface Vlan12

 nameif OutsideDSL

 security-level 0

 ip address 200.200.100.1 255.255.255.248

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

 switchport access vlan 12

!

interface Ethernet0/7

 switchport access vlan 12

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name Company.com

same-security-traffic permit intra-interface

object-group service tomcat tcp

 port-object range https https

 port-object range www www

 port-object range 8080 8082

 port-object range 8443 8445

 port-object range 8453 8455

access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 any

access-list OutsideDSL_access_out extended permit ip any any

access-list outsideSDSL_access_out extended permit ip any any

access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

access-list CompanyLonDSL_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

access-list CompanyLonDSL_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list CompanyLonDSL_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0

access-list nonatvpn extended permit ip any 192.168.2.0 255.255.255.0

access-list nonatvpn extended permit ip any 192.168.1.0 255.255.255.0

access-list nonatvpn extended permit ip any 192.168.3.0 255.255.255.0

access-list nonatvpn extended permit ip any 10.10.0.0 255.255.0.0

access-list nonatvpn extended permit ip any 192.168.4.0 255.255.255.0

access-list LontoTull extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list LontoTull extended permit ip 192.168.2.0 255.255.255.0 10.10.0.0 255.255.0.0

access-list LontoTull extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list LontoTull extended permit ip 192.168.3.0 255.255.255.0 10.10.0.0 255.255.0.0

access-list OutsideDSL_access_in extended permit tcp any host 200.200.100.5 object-group tomcat

access-list OutsideDSL_access_in extended permit tcp any host 200.200.100.6 object-group tomcat

access-list OutsideDSL_access_in remark Rule to allow http to 2.200

access-list OutsideDSL_access_in extended permit tcp any interface OutsideDSL eq www

access-list OutsideDSL_access_in remark Rule to allow traffic to auth on 2.185 po 15000

access-list OutsideDSL_access_in extended permit tcp any interface OutsideDSL eq 15000

access-list OutsideDSL_access_in remark Rule to allow traffic to https on 2.12

access-list OutsideDSL_access_in extended permit tcp any interface OutsideDSL eq https

access-list OutsideDSL_access_in remark Rule to allow traffic to ftp on 2.20

access-list OutsideDSL_access_in extended permit tcp any interface OutsideDSL eq ftp

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outsideSDSL 1500

mtu OutsideDSL 1500

ip local pool pool_201_219 192.168.2.201-192.168.2.219 mask 255.255.255.0

ip local pool LonVPNPool 192.168.3.100-192.168.3.200 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

nat-control

global (outsideSDSL) 1 interface

global (OutsideDSL) 1 interface

nat (inside) 0 access-list nonatvpn

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,OutsideDSL) tcp interface www 192.168.2.200 www netmask 255.255.255.255

static (inside,OutsideDSL) tcp interface 15000 192.168.2.185 15000 netmask 255.255.255.255

static (inside,OutsideDSL) tcp interface https 192.168.2.12 https netmask 255.255.255.255

static (inside,OutsideDSL) tcp interface ftp 192.168.2.20 ftp netmask 255.255.255.255

static (inside,OutsideDSL) 200.200.100.5 192.168.2.38 netmask 255.255.255.255

static (inside,OutsideDSL) 200.200.100.6 192.168.2.52 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outsideSDSL_access_out out interface outsideSDSL

access-group OutsideDSL_access_in in interface OutsideDSL

access-group OutsideDSL_access_out out interface OutsideDSL

route OutsideDSL 0.0.0.0 0.0.0.0 200.200.100.254 1 track 1

route outsideSDSL 0.0.0.0 0.0.0.0 200.200.200.254 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 1:00:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.4.0 255.255.255.0 OutsideDSL

http 192.168.4.0 255.255.255.0 outsideSDSL

http 192.168.1.0 255.255.255.0 OutsideDSL

http 192.168.1.0 255.255.255.0 outsideSDSL

http 192.168.3.0 255.255.255.0 outsideSDSL

http 192.168.3.0 255.255.255.0 OutsideDSL

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 1

 type echo protocol ipIcmpEcho 208.67.222.222 interface OutsideDSL

sla monitor schedule 1 life forever start-time now

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set LontoTull esp-3des esp-sha-hmac

crypto dynamic-map OutsideDSL_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map OutsideSDSL_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map dyn_map 20 set reverse-route

crypto map OutsideDSL_map 10 match address LontoTull

crypto map OutsideDSL_map 10 set connection-type originate-only

crypto map OutsideDSL_map 10 set peer 100.100.100.1 100.100.200.1

crypto map OutsideDSL_map 10 set transform-set LontoTull

crypto map OutsideDSL_map 20 ipsec-isakmp dynamic OutsideDSL_dyn_map

crypto map OutsideDSL_map interface OutsideDSL

crypto map OutsideSDSL_map 10 match address LontoTull

crypto map OutsideSDSL_map 10 set connection-type originate-only

crypto map OutsideSDSL_map 10 set peer 100.100.100.1 100.100.200.1

crypto map OutsideSDSL_map 10 set transform-set LontoTull

crypto map OutsideSDSL_map 20 ipsec-isakmp dynamic OutsideSDSL_dyn_map

crypto map OutsideSDSL_map interface outsideSDSL

crypto isakmp enable OutsideDSL

crypto isakmp enable outsideSDSL

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

!

track 1 rtr 1 reachability

telnet 192.168.2.0 255.255.255.0 inside

telnet 192.168.1.0 255.255.255.0 outsideSDSL

telnet 192.168.3.0 255.255.255.0 outsideSDSL

telnet 192.168.4.0 255.255.255.0 outsideSDSL

telnet 192.168.1.0 255.255.255.0 OutsideDSL

telnet 192.168.3.0 255.255.255.0 OutsideDSL

telnet 192.168.4.0 255.255.255.0 OutsideDSL

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outsideSDSL

!
 

!

class-map global-class

 match default-inspection-traffic

!

!

policy-map global-policy

 class global-class

  inspect dns

  inspect esmtp

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect icmp

  inspect icmp error

  inspect netbios

  inspect pptp

  inspect rsh

  inspect rtsp

  inspect sip

  inspect skinny

  inspect snmp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect waas

  inspect xdmcp

!

service-policy global-policy global

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 dns-server value 192.168.2.200

 vpn-tunnel-protocol l2tp-ipsec

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

 default-domain value Company.com

group-policy CompanyLonDSL internal

group-policy CompanyLonDSL attributes

 dns-server value 192.168.2.200

 vpn-tunnel-protocol IPSec

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value CompanyLonDSL_splitTunnelAcl

 default-domain value Company.com

username xxx password xxx encrypted privilege 0

tunnel-group DefaultRAGroup general-attributes

 address-pool pool_201_219

 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

tunnel-group CompanyLonDSL type ipsec-ra

tunnel-group CompanyLonDSL general-attributes

 address-pool LonVPNPool

 default-group-policy CompanyLonDSL

tunnel-group CompanyLonDSL ipsec-attributes

 pre-shared-key *

tunnel-group 100.100.100.1 type ipsec-l2l

tunnel-group 100.100.100.1 ipsec-attributes

 pre-shared-key *

tunnel-group 100.100.200.1 type ipsec-l2l

tunnel-group 100.100.200.1 ipsec-attributes

 pre-shared-key *

tunnel-group xxxVPN type ipsec-ra

tunnel-group xxxVPN general-attributes

 address-pool LonVPNPool

 default-group-policy CompanyLonDSL

tunnel-group xxxVPN ipsec-attributes

 pre-shared-key *

prompt hostname context

Cryptochecksum:c5911e7fe6c4c9f73cf4832c05c34865

: end

Open in new window

0
Comment
Question by:shakel_ie
  • 2
  • 2
  • 2
6 Comments
 
LVL 2

Expert Comment

by:olivierbreuer
Comment Utility
Hello,

(please open my small drawing)

I have changed the IP addres you have defined in your example by explicit letters, to avoid confusion.

ASA1 has 2 internet access - Access A and C
ASA 2 has also 2 internet Acces - Access B and D

The best way to have a reliable, easy configuration solution is to create 2static routes with a /32 mask.

On asa 1  create a static route to access to B using interface A and to access to D use interface C
On asa2 do the opposite.
So you have 2 specific, static paths to access your other firewall using internet.

After that, you just have to create 2 VPN site to site tunnels, this will guarantee you redundancy and this also minmize complexity so, easy troubleshooting when problem occurs.

Having 4 differents tunnels will strongly increase the complexity of your solution and, for my point of view, will not add extra redundancy.

Don't forget that, if, after your complex configuration you are stuck during a week or more and you are not able to let your employees working because of this kind of problem, you will loose a lot of money.

That's, for me the easiest, safiest way to create redundacy between your firewalls.

Hope that you have understood my opinion. If you want more explanations on this I will be pleased to help you out.

Regards,

Olivier

Image-5.png
0
 

Author Comment

by:shakel_ie
Comment Utility
Hi Olivier,

Thanks for the response. I will try this out.
Just a few questions on this:
1. If I happen to lose ISP A and ISP D then I will have no tunnel right?
2. Are both tunnels up at all times in normal operating conditions?
3. Can I prioritise one tunnel over the other?
4. Can I know what tunnel is being used for traffic?

Many thanks.
Shane
0
 
LVL 2

Assisted Solution

by:olivierbreuer
olivierbreuer earned 500 total points
Comment Utility
Answers:

1. If you loose the ISP A and the ISP D at the same time, you will not have tunnels anymore.
2. Both tunnels are up at all times in normal operationg conditions.
3. I don't think so.
4. Yes, using real-time network traffic.

You can also check this usefull ressource:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Regards,

Olivier
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Accepted Solution

by:
shakel_ie earned 0 total points
Comment Utility
Hi Olivier,

Many thanks.

I have tested that and it does work. But as stated if I loose ISP a and ISP D then I loose all tunnels.
I will post the updated, cleaned up config in the coming days for future reference.

Regards,
Shane
0
 

Expert Comment

by:cavacamite
Comment Utility
Hello,
In the firewall configuration there are two crypto maps for each outside interface. Is that necessary or can you apply the same map to both the primary and secondary interfaces?
Thank you.
0
 

Expert Comment

by:cavacamite
Comment Utility
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now