ASA IPSEC VPN - Redundant Peer

Posted on 2014-10-22
Medium Priority
Last Modified: 2014-11-18
In a site to site L2L IPSEC VPN, two ASA firewalls, how can I test the redundant peer connection? I want to make sure that if the main site goes down that the ASA will connect to the other remote peer IP.
Question by:tolinrome
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 29

Accepted Solution

Alan Huseyin Kayahan earned 2000 total points
ID: 40398317
Create a temporary route for the destination IP of the main tunnel to some IP other than the default gateway.

route outside x.x.x.x y.y.y.y

where x.x.x.x is the destination IP of the main tunnel and y.y.y.y is some IP (i.e loopback or some random IP of the interface etc.)

Main site tunnel will go down since the tunnel destination is unreachable. Observe if backup tunnel takes over.
LVL 57

Expert Comment

by:Pete Long
ID: 40399073
or remove the secondary peer IP from the cryptomap :)


show cry isa
{Take note of the remote Peer}
(remove the redundant peer)
no crypto map outside_map 1 set peer 456.456.456.456
crypto map outside_map 1 set peer
{Make sure the tunnel comes back up with some ping traffic)
show cry isa
{peer should have changed)
{replace the cryptomap again}
crypto map outside_map 1 set peer 456.456.456.456

You could have course down the redundant interface at the remote site.

LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 40399103
I dont know if ASA will treat incomplete configuration (If peer, intr acl or transform set is missing, CLI will warn "incomplete configuration" untill all 3 are in place) same as unreachable peer when considering to activate the backup tunnel. Unreachable route or ACL restricted outbound traffic towards peer seems to be a better simulation for "main tunnel down".

Author Comment

ID: 40399310
I forgot to mention that there are 3 asa's in this scenario. The main peer connection, which is working fine and the redundant peer ip to the other asa, which is the backup in case the first goes down. Pete, I think I know what youre saying but I want to be able to connect to the redundant peer just to test.

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month10 days, 14 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question