Solved

ASA IPSEC VPN - Redundant Peer

Posted on 2014-10-22
4
889 Views
Last Modified: 2014-11-18
In a site to site L2L IPSEC VPN, two ASA firewalls, how can I test the redundant peer connection? I want to make sure that if the main site goes down that the ASA will connect to the other remote peer IP.
Thanks.
0
Comment
Question by:tolinrome
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 40398317
Create a temporary route for the destination IP of the main tunnel to some IP other than the default gateway.

route outside x.x.x.x 255.255.255.255 y.y.y.y

where x.x.x.x is the destination IP of the main tunnel and y.y.y.y is some IP (i.e loopback or some random IP of the interface etc.)

Main site tunnel will go down since the tunnel destination is unreachable. Observe if backup tunnel takes over.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40399073
or remove the secondary peer IP from the cryptomap :)

eg

show cry isa
{Take note of the remote Peer}
(remove the redundant peer)
no crypto map outside_map 1 set peer 123.123.123.123 456.456.456.456
crypto map outside_map 1 set peer 123.123.123.123
{Make sure the tunnel comes back up with some ping traffic)
show cry isa
{peer should have changed)
{replace the cryptomap again}
crypto map outside_map 1 set peer 123.123.123.123 456.456.456.456

You could have course down the redundant interface at the remote site.

Pete
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 40399103
I dont know if ASA will treat incomplete configuration (If peer, intr acl or transform set is missing, CLI will warn "incomplete configuration" untill all 3 are in place) same as unreachable peer when considering to activate the backup tunnel. Unreachable route or ACL restricted outbound traffic towards peer seems to be a better simulation for "main tunnel down".
0
 
LVL 7

Author Comment

by:tolinrome
ID: 40399310
I forgot to mention that there are 3 asa's in this scenario. The main peer connection, which is working fine and the redundant peer ip to the other asa, which is the backup in case the first goes down. Pete, I think I know what youre saying but I want to be able to connect to the redundant peer just to test.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question