Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA - backup VPN connection failover

Posted on 2011-03-07
1
Medium Priority
?
2,121 Views
Last Modified: 2012-06-27
A customer has an existing Cisco ASA (ASA1) providing primary Internet and remote site VPN connectivity. One of the site-to-site VPN connections (Site X) is critical to the organization, so they need to implement a backup/failover VPN to Site X using a 2nd ASA (ASA2) connected to another ISP.  Both ASAs are in-place (ASA2 currently only handling an incoming remote VPN connection).

We need to somehow configure failover for the Site X VPN - if ASA1 (or its ISP connection) fails, we need the traffic destined for Site X to automatically failover to the Site X VPN through ASA2/ISP2. We don't care about load-balancing at this point, just failover for VPN connectivity.

Thanks, and as always, reference docs/links are appreciated!
0
Comment
Question by:cfan73
1 Comment
 
LVL 33

Accepted Solution

by:
MikeKane earned 2000 total points
ID: 35070182
For the remote site, I think you need 2 things.

First, you need to make sure you've setup the redundant ISP config on the ASA.  
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
With that, if the primary ISP fails, the 2nd ISP becomes active as the default gateway.  

Second, in the VPN config at the remote site, you need to add the 2nd ASA IP as the 2nd peer address.  

You probably have a "CRYPTO MAP <name >  SET PEER x.x.x.x" setup in the VPN section.     You just add the 2nd IP inline.  "CRYPTO MAP <name> SET PEER x.x.x.x y.y.y.y"
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2066090
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question