kingshuksinha
asked on
Link failover
Dear all,
we have 2 isp.one isp(2MBps) terminates into a cisco 2811 router & another isp(10MBps)line which is terminated at fiber optics & then to fortigate 50B UTM device.
what r the oprions for me to configure ststic link failover between router & UTM?
please let me know step-by-step?
warm regards
king
we have 2 isp.one isp(2MBps) terminates into a cisco 2811 router & another isp(10MBps)line which is terminated at fiber optics & then to fortigate 50B UTM device.
what r the oprions for me to configure ststic link failover between router & UTM?
please let me know step-by-step?
warm regards
king
Here is the Cisco Configuration example for Redundant ISP links.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Good Luck.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Good Luck.
ASKER
HI Mikekane,
The scenario is almost the same but one problem is there. In ASA 5510 i set up 22 site to site vpn in DMZ. So i dont want to disturb the site to site vpn in my ASA dmz.
My question is if i do link failover then my ip address will change & in that case wheather my vpn will work or not? If not then what to do?
One of my inside interface of ASA 5510 is free & i can use that interface to connect to second isp. can i assign public ip to my asa inside interface sir.
OR
can i do link failover with router 2811 & fortigate 50B utm which i can connect to second ISP?
My current network diag.
ISP(Leased line)--->Router2811--->8 port umanaged switch--->outside interface of ASA5510 & from ASA DMZ to TMG(Microsoft threat management Gateway--->Cisco 3650 switch.
we r having another ISP with 10MBps fiber optics & i ve a fortigate 50 B UTM.
IF ONE ISP GOES DOWN HOW TO BRING UP THE OTHER ONE AUTOMATICALLY WITHOUT DISTURBING THE SITE TO SITE VPN IN ASA5510 DMZ.
PLEASE LET ME KNOW STEP BY STEP AS AM A NOVICE USER.
THANKS A LOT IN ADVANCE.
WARM REGARDS
KING
The scenario is almost the same but one problem is there. In ASA 5510 i set up 22 site to site vpn in DMZ. So i dont want to disturb the site to site vpn in my ASA dmz.
My question is if i do link failover then my ip address will change & in that case wheather my vpn will work or not? If not then what to do?
One of my inside interface of ASA 5510 is free & i can use that interface to connect to second isp. can i assign public ip to my asa inside interface sir.
OR
can i do link failover with router 2811 & fortigate 50B utm which i can connect to second ISP?
My current network diag.
ISP(Leased line)--->Router2811--->8 port umanaged switch--->outside interface of ASA5510 & from ASA DMZ to TMG(Microsoft threat management Gateway--->Cisco 3650 switch.
we r having another ISP with 10MBps fiber optics & i ve a fortigate 50 B UTM.
IF ONE ISP GOES DOWN HOW TO BRING UP THE OTHER ONE AUTOMATICALLY WITHOUT DISTURBING THE SITE TO SITE VPN IN ASA5510 DMZ.
PLEASE LET ME KNOW STEP BY STEP AS AM A NOVICE USER.
THANKS A LOT IN ADVANCE.
WARM REGARDS
KING
You can set this up, but would require code changes to all branches.
This forum post goes into details:
https://supportforums.cisco.com/message/3026526
The key here is to have the remote sites configured with the IPs of both the primary and backup ISP links...
For example: "crypto map outside_map 1 set peer 1.1.1.1 2.2.2.2"
This forum post goes into details:
https://supportforums.cisco.com/message/3026526
The key here is to have the remote sites configured with the IPs of both the primary and backup ISP links...
For example: "crypto map outside_map 1 set peer 1.1.1.1 2.2.2.2"
ASKER
Hi Mike,
Could you please explain it in details...cos am facing this problem & dont know how to resolve it from the above mentioned scenario.
Warm regards
king
Could you please explain it in details...cos am facing this problem & dont know how to resolve it from the above mentioned scenario.
Warm regards
king
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dear Mike,
Just a confusion. right now my site to site ipsec vpn configureation is like
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 59.90.xx.xx (remote fortigate 50B utm public ip)
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 1800
Shall i insert crypto map outside_map 1 set peer 202.xx.xxx.xx(ASA public ip) 127.xx.xxx.xx(second isp public ip)
Is this line is enough or i ve do something else also?Please do let me know.
Warm regards
king
Just a confusion. right now my site to site ipsec vpn configureation is like
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 59.90.xx.xx (remote fortigate 50B utm public ip)
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 1800
Shall i insert crypto map outside_map 1 set peer 202.xx.xxx.xx(ASA public ip) 127.xx.xxx.xx(second isp public ip)
Is this line is enough or i ve do something else also?Please do let me know.
Warm regards
king
The multiple peers have to be set at head remote point, not at the central ASA. EAch remote point needs to know that there are 2 possible connection ips for the VPN.
This >> Shall i insert crypto map outside_map 1 set peer 202.xx.xxx.xx(ASA public ip) 127.xx.xxx.xx(second isp public ip)
should only be set at the remote endpoint.
This >> Shall i insert crypto map outside_map 1 set peer 202.xx.xxx.xx(ASA public ip) 127.xx.xxx.xx(second isp public ip)
should only be set at the remote endpoint.
ASKER
Dear Mike,
Since the second ISP which is a fibre optics line of 10MBps is down for a long time so unable to check the solution which you u have mentioned.
After checking i ll let you know.
well just wanted to ask you a question...
Is it possible to ADD ONE MORE isp in fortigate UTM 50B for the remote branch office?
Warm regards
king
Since the second ISP which is a fibre optics line of 10MBps is down for a long time so unable to check the solution which you u have mentioned.
After checking i ll let you know.
well just wanted to ask you a question...
Is it possible to ADD ONE MORE isp in fortigate UTM 50B for the remote branch office?
Warm regards
king
I'm not a fortigate expert, so I don't have an answer to that question. Those examples above are for cisco solutions....
ASKER
Dear all,
solved the problem without using UTM. Disconnected the UTM.
Terminated Router and ASA in an 8 port switch.And in router added the secondary route of fiber line.
So that as soon as the router goes down the traffic will automatically switch over to the fiber line.
Thanks a lot for all your valuable contribution & hope you will continue to do so in the days to come.
Warm regards
king
solved the problem without using UTM. Disconnected the UTM.
Terminated Router and ASA in an 8 port switch.And in router added the secondary route of fiber line.
So that as soon as the router goes down the traffic will automatically switch over to the fiber line.
Thanks a lot for all your valuable contribution & hope you will continue to do so in the days to come.
Warm regards
king
Glad it is working.
Please remember to close the issue and assign the points as you see fit.
Please remember to close the issue and assign the points as you see fit.
ASKER
Thanks a lot Mike....Really sorry to say that i cant disturb the current scenario as it is working fine...If anythng goes wrong i ll surely try your solution...Hope it will work...
Am sorry for the delay in replying....Hope you dont mind but please keep up the good work..
thanks a lot again mike.
Am sorry for the delay in replying....Hope you dont mind but please keep up the good work..
thanks a lot again mike.
Please refer this guide:
http://www.inacom-sby.net/Shawn/post/2007/11/Cisco-IP-SLA-for-failover.aspx
you need to track your ISP leg