Link to home
Create AccountLog in
Avatar of NytroZ
NytroZFlag for United States of America

asked on

Route VPN connection during DR site failover

Currently we have a few clients that we have a site to site vpn connection with to our data center.  We are in the process of adding a DR site in the event our primary data center fails.  My question is "how can I get the site to site connections to connect to the DR site?"    If we fail to the DR site the IP obviously changes and the connection is not valid.  How does the client recognize that traffic needs to go through a new vpn connection?
Avatar of asavener
asavener
Flag of United States of America image

If they're using Cisco IOS-based devices, you can just add a second peer address to the crypto map.  If the first peer is unavailable, the VPN will switch to the second peer.

In our testing, it took about 30 seconds to detect the failure and switch to the new peer.
ASKER CERTIFIED SOLUTION
Avatar of convergint
convergint
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of NytroZ

ASKER

So if I understand correctly, the client needs to add the a second entry into the VPN connection for the IP address of the DR site endpoint.  If our primary IP address is unavailable the second IP address(DR site IP) will negotiate the connection?  The DR site has its own connection.
Yes.  The DR will need its own router/VPN device, which will need to be configured to accept the VPN connections.
Depending on how things are setup, you will also need to look at how to handle routing failover. It's one thing to have the VPN end points failover, but it can sometimes be a challenge to get traffic to route to the correct firewall when the firewall is up and running but the internet connection is down. Everything depends on how routing is currently setup.