Solved

ASA IPSEC VPN - Redundant Peer

Posted on 2014-10-22
4
655 Views
Last Modified: 2014-11-18
In a site to site L2L IPSEC VPN, two ASA firewalls, how can I test the redundant peer connection? I want to make sure that if the main site goes down that the ASA will connect to the other remote peer IP.
Thanks.
0
Comment
Question by:tolinrome
  • 2
4 Comments
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 40398317
Create a temporary route for the destination IP of the main tunnel to some IP other than the default gateway.

route outside x.x.x.x 255.255.255.255 y.y.y.y

where x.x.x.x is the destination IP of the main tunnel and y.y.y.y is some IP (i.e loopback or some random IP of the interface etc.)

Main site tunnel will go down since the tunnel destination is unreachable. Observe if backup tunnel takes over.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40399073
or remove the secondary peer IP from the cryptomap :)

eg

show cry isa
{Take note of the remote Peer}
(remove the redundant peer)
no crypto map outside_map 1 set peer 123.123.123.123 456.456.456.456
crypto map outside_map 1 set peer 123.123.123.123
{Make sure the tunnel comes back up with some ping traffic)
show cry isa
{peer should have changed)
{replace the cryptomap again}
crypto map outside_map 1 set peer 123.123.123.123 456.456.456.456

You could have course down the redundant interface at the remote site.

Pete
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 40399103
I dont know if ASA will treat incomplete configuration (If peer, intr acl or transform set is missing, CLI will warn "incomplete configuration" untill all 3 are in place) same as unreachable peer when considering to activate the backup tunnel. Unreachable route or ACL restricted outbound traffic towards peer seems to be a better simulation for "main tunnel down".
0
 
LVL 7

Author Comment

by:tolinrome
ID: 40399310
I forgot to mention that there are 3 asa's in this scenario. The main peer connection, which is working fine and the redundant peer ip to the other asa, which is the backup in case the first goes down. Pete, I think I know what youre saying but I want to be able to connect to the redundant peer just to test.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now