Link to home
Start Free TrialLog in
Avatar of travisryan
travisryanFlag for United States of America

asked on

VPN failover between ASA 5510s

Currently I have a network that looks like this:
ASA5510 - - - Internet - - - ASA5510
     |                                             |
EIGRP                                 EIGRP
     |                                              |
2821 -----------MPLS----------1841
The MPLS connection is currently down, I'm trying to run a failover Site-to-Site VPN over the internet. All of the examples I've read have both connections involved in the failover coming out of one device. Since I'm not working that way, what is going to be the best way to failover? Do I need to set up some sort of IP SLA in the config? Or can I somehow weight routes in EIGRP in a way that the connection will failover from Internet to MPLS when the MPLS goes down and vice versa when the MPLS connection comes back up?
This post has a very similar situation, but the instructions weren't detailed enough for me to follow:

Any help is appreciated as these 2 sites are currently cut off from one another.
Thanks in advance.
Avatar of InteraX
Flag of United Kingdom of Great Britain and Northern Ireland image

You should be able to automatically failover to VPN backup. We are using SLA monitoring because we cannot read the routing tables out from our MPLS providers routers. If you can publish the routes out from your cisco router to the ASA, the you can have automatic failover by relying on the default route, assuming the ASA is your default gateway. Which version of ASA software do you use? EIGRP isn't supported before 8.0.2.
Avatar of travisryan


EIGRP has been running on our network for several years now, that's not the issue. I realize I should be able to do failover, but everything I've tried so far has been unsuccessful. Does anyone have a working example of such a failover in place? Even if the networking protocols are different the code might point me in the right direction.

We have working failover. Where is the failover not working? What are the symptoms/problems? When the failover is supposed to work, what are your routing tables on the routers showing? Also, some idea of IPs would be useful. They don't have to be the real IP subnets. What are the other networks and how are they connected? Are they behind the ASA from the MPLS perspective or not?

Our networks are structured as follows

              |                                        |
LAN----ASA                                   ASA----LAN
              |                                        |
            RTR ----------MPLS----------RTR

We are using SLA monitoring as we currently cannot read out the routing tables from the MPLS provider and this works. If we get a failure on the MPLS, our VPNs start working.

I can't provide running configs due to security reasons, but I can run you through your config using the concepts involved.
Avatar of travisryan
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Situation was no longer present so troubleshooting was no longer possible.