Solved

ASA IPSEC VPN - Redundant Peer

Posted on 2014-10-22
4
692 Views
Last Modified: 2014-11-18
In a site to site L2L IPSEC VPN, two ASA firewalls, how can I test the redundant peer connection? I want to make sure that if the main site goes down that the ASA will connect to the other remote peer IP.
Thanks.
0
Comment
Question by:tolinrome
  • 2
4 Comments
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 40398317
Create a temporary route for the destination IP of the main tunnel to some IP other than the default gateway.

route outside x.x.x.x 255.255.255.255 y.y.y.y

where x.x.x.x is the destination IP of the main tunnel and y.y.y.y is some IP (i.e loopback or some random IP of the interface etc.)

Main site tunnel will go down since the tunnel destination is unreachable. Observe if backup tunnel takes over.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40399073
or remove the secondary peer IP from the cryptomap :)

eg

show cry isa
{Take note of the remote Peer}
(remove the redundant peer)
no crypto map outside_map 1 set peer 123.123.123.123 456.456.456.456
crypto map outside_map 1 set peer 123.123.123.123
{Make sure the tunnel comes back up with some ping traffic)
show cry isa
{peer should have changed)
{replace the cryptomap again}
crypto map outside_map 1 set peer 123.123.123.123 456.456.456.456

You could have course down the redundant interface at the remote site.

Pete
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 40399103
I dont know if ASA will treat incomplete configuration (If peer, intr acl or transform set is missing, CLI will warn "incomplete configuration" untill all 3 are in place) same as unreachable peer when considering to activate the backup tunnel. Unreachable route or ACL restricted outbound traffic towards peer seems to be a better simulation for "main tunnel down".
0
 
LVL 7

Author Comment

by:tolinrome
ID: 40399310
I forgot to mention that there are 3 asa's in this scenario. The main peer connection, which is working fine and the redundant peer ip to the other asa, which is the backup in case the first goes down. Pete, I think I know what youre saying but I want to be able to connect to the redundant peer just to test.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SonicWALL SIP Transformation Problem 4 50
Cisco VPN Client and Windows 10 9 85
Not able to route between subnets 8 103
What are acceptable WiFi signal strengths 6 55
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now