Solved

Failover Site-to-Sive VPN

Posted on 2010-09-02
8
2,202 Views
Last Modified: 2012-05-10
I have a need to setup a failover VPN. I have two sites that each connect to the same remote site via a site-to-site VPN. The remote site has installed a failover internet connection and would like me to configure a failover VPN on my two sites.

So my two sites are a Cisco ASA 5505 and a SonicWALL TZ200 Wireless. How would I configure automatic failover VPN tunnels on my devices? Remember, I have a single Internet connection and the remote site has two Internet connections. Thanks.
0
Comment
Question by:mthsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 33588715
Of the site that has the two connections, do they have the Cisco or the Sonicwall?
0
 
LVL 33

Expert Comment

by:digitap
ID: 33588756
If it is the sonicwall, then you can specify both public IP addresses in the SA.  Specify the failover in the secondary.  See the link below for a KB articles on this setting.  The articles are a little old, but the concept is still valid.http://www.sonicwall.com/downloads/Using_Secondary_IPSec_Gateway.pdfhttp://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=4974
0
 

Author Comment

by:mthsupport
ID: 33591491
The remote site has a Cisco SA 540 Small Business Appliance.

Thanks for the info digitap. I'll look over that and see what I can do on the SonicWALL.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 33

Expert Comment

by:digitap
ID: 33591522
And it's the Cisco that has the failover Internet connection?
0
 

Author Comment

by:mthsupport
ID: 33595890
Yes, the Cisco SA 540 at the remote site has teh failover Internet connection. My two sites that connect to the remote site with SA have a SonicWALL TZ200W and a Cisco ASA 5505.

Remote site with Failover Internet
FW: Cisco SA 540
Internet connection 1 (primary)
Internet connection 2 (failover)

My site 1
FW: Cisco ASA 5505
Internet connection 1
VPN Tunnel 1 Primary
VPN Tunnel 2 Failover

My Site 2
FW: SonicWALL TZ200W
Internet connection 1
VPN tunnel 1 primary
VPN Tunnel 2 failover

How do I setup the failover VPN on my sites? The article for the SonicWALL you provided looks promising. But still nothing on the ASA.
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 33596234
My experience with Cisco is minimal.  However, on the sonicwall, you want to put the public IP address of the Primary internet into the IPSec Primary Gateway field and the public IP address of the failover internet into the IPSec Secondary Gateway field.  There's not much needed on the Sonicwall.  When the primary fails, then the Sonicwall will try the secondary IP address.

Now, from your configuration, it looks like you have the primary and failover connect to BOTH Cisco routers, correct?  Are the two Cisco routers in a hardware failover configuration?
0
 

Author Comment

by:mthsupport
ID: 33626826
Here is how it is done on the ASA. And just like the SonicWALL the only way to failback over to the primary peer (gateway) is for the secondary peer (gateway) to fail. If the secondary peer never goes offline when the primary comes back online neither the ASA nor the SonicWALL will automatically failover to the primary peer (gateway).

1. Configure LAN to LAN normally. On remote end (with one ISP link) configure two peer IP address in same crypto map and specify pre-shared-key with both of peer’s IP.
2. Deed Peer detection is required (which is turned on ASA by default, on routers, you would need to enable it manually)
The attributes remain same and tunnel should come up fine with secondary incase VPN on primary goes down.


Digitap: Thanks for the guidance on the SonicWALL. You'll get all the points.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33627008
Thanks for the points!  Also, thanks for posting back a great description to your final solution!
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question