VPN failover between ASA 5510s
Currently I have a network that looks like this:
ASA5510 - - - Internet - - - ASA5510
| |
EIGRP EIGRP
| |
2821 -----------MPLS----------1
BGP
The MPLS connection is currently down, I'm trying to run a failover Site-to-Site VPN over the internet. All of the examples I've read have both connections involved in the failover coming out of one device. Since I'm not working that way, what is going to be the best way to failover? Do I need to set up some sort of IP SLA in the config? Or can I somehow weight routes in EIGRP in a way that the connection will failover from Internet to MPLS when the MPLS goes down and vice versa when the MPLS connection comes back up?
This post has a very similar situation, but the instructions weren't detailed enough for me to follow: https://supportforums.cisco.com/thread/2006404
Any help is appreciated as these 2 sites are currently cut off from one another.
Thanks in advance.
ASA5510 - - - Internet - - - ASA5510
| |
EIGRP EIGRP
| |
2821 -----------MPLS----------1
BGP
The MPLS connection is currently down, I'm trying to run a failover Site-to-Site VPN over the internet. All of the examples I've read have both connections involved in the failover coming out of one device. Since I'm not working that way, what is going to be the best way to failover? Do I need to set up some sort of IP SLA in the config? Or can I somehow weight routes in EIGRP in a way that the connection will failover from Internet to MPLS when the MPLS goes down and vice versa when the MPLS connection comes back up?
This post has a very similar situation, but the instructions weren't detailed enough for me to follow: https://supportforums.cisco.com/thread/2006404
Any help is appreciated as these 2 sites are currently cut off from one another.
Thanks in advance.
InteraX
You should be able to automatically failover to VPN backup. We are using SLA monitoring because we cannot read the routing tables out from our MPLS providers routers. If you can publish the routes out from your cisco router to the ASA, the you can have automatic failover by relying on the default route, assuming the ASA is your default gateway. Which version of ASA software do you use? EIGRP isn't supported before 8.0.2.
ASKER
EIGRP has been running on our network for several years now, that's not the issue. I realize I should be able to do failover, but everything I've tried so far has been unsuccessful. Does anyone have a working example of such a failover in place? Even if the networking protocols are different the code might point me in the right direction.
Thanks.
Thanks.
We have working failover. Where is the failover not working? What are the symptoms/problems? When the failover is supposed to work, what are your routing tables on the routers showing? Also, some idea of IPs would be useful. They don't have to be the real IP subnets. What are the other networks and how are they connected? Are they behind the ASA from the MPLS perspective or not?
Our networks are structured as follows
RTR--------Internet-------
| |
LAN----ASA ASA----LAN
| |
RTR ----------MPLS----------RT
We are using SLA monitoring as we currently cannot read out the routing tables from the MPLS provider and this works. If we get a failure on the MPLS, our VPNs start working.
I can't provide running configs due to security reasons, but I can run you through your config using the concepts involved.
Our networks are structured as follows
RTR--------Internet-------
| |
LAN----ASA ASA----LAN
| |
RTR ----------MPLS----------RT
We are using SLA monitoring as we currently cannot read out the routing tables from the MPLS provider and this works. If we get a failure on the MPLS, our VPNs start working.
I can't provide running configs due to security reasons, but I can run you through your config using the concepts involved.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Situation was no longer present so troubleshooting was no longer possible.