Solved

failover of VPN tunnels

Posted on 2014-12-29
13
164 Views
Last Modified: 2014-12-30
Hello all,

We have several external sites connected via site to site vpn tunnels using 5520 ASAs. On the primary asa where I’m at, we have tunnels that go to customer external sites to monitor certain devices. We have over 40 tunnels to customer sites. There supposed to be some kind of replication mechanism on the primary asa that if the primary asa fails, the asa at the other site, will pick up and we will be able to monitor everything form that asa until we fix the primary. (failover)  

I have no idea what that failover looks like and I need to do find out how it works and how its configured. How can I go about finding out? I see on the other asa there is  a tunnel to me and I know that’s active. Can anyone give suggestions or help me figure this out?
0
Comment
Question by:Shark Attack
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 70

Expert Comment

by:Qlemo
ID: 40523425
Obviously you need to use a different device for the backup ASA's connection to your primary location. Else a failing ASA would not allow to have a connection to the backup active.

The switchover is probably achieved by using OSPF as routing protocol. If the primary ASA dies, the routes to the secondary will get better metrics and get active. This needs to happen on your default gateway device, which decides to take a different route - unless all routing is done on each individual client, but I don't think so.
0
 
LVL 3

Author Comment

by:Shark Attack
ID: 40523524
Well, at my site, I have the primary asa and i have a backup asa. So in any case if the building goes down, the other location should pick up I just don't know how that switch over happens. All devices have static routing.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40523798
It does not work with static routing. Either the default gateway or the specific routes need to get changed on failure of the primary router.
0
Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

 
LVL 3

Author Comment

by:Shark Attack
ID: 40523886
so then technically, there is no failover since I would need to change the peers on all the customer sites correct? there si no centralized route that I could change that will change the default gateway or route.
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 500 total points
ID: 40523895
Correct. The default gateway needs to get changed everywhere - if it is the ASA. If there is a different device serving that purpose, no change on clients required.

Again: You *need* to have a different device. A tunnel on the primary ASA to the secondary does not work if the primary ASA fails. So you need to look at what the current default gateway is, and see how it determines where traffic has to go to.
0
 
LVL 3

Author Comment

by:Shark Attack
ID: 40523906
thanks! one last thing, can I add secondary peer to an ipsec tunnel if the primary peer fails?
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40523924
In general no. The ASA might have a fallback feature, but I don't know anything about that.
0
 
LVL 3

Author Comment

by:Shark Attack
ID: 40523925
but even if I had OSPF how would that change anything if my primary building where the primary asa resides looses power? If all the tunnels have a specific peer and that peer dies, even if it gets redirected, it wont authenticate the tunnel since the peer IP is different.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40523936
Maybe all tunnels are set up twice, for each initiating device? The only other way I can imagine is that the fail-over ASA uses the same public IP as the primary. Unlikely.
0
 
LVL 3

Author Comment

by:Shark Attack
ID: 40523944
its not using the same ip, when I look at the other asa at the other site, it has a lot of the same tunnels on it. all are inactive, most likely there is no traffic going through? When I do "show run tunnel group" I can see all connection there but when I do "show run isa" I can only see 4 tunnels active that go to the main sites not customer sites. I am assuming once my building looses connection, that the traffic will somehow flow through that secondary asa.
0
 
LVL 3

Author Comment

by:Shark Attack
ID: 40523950
or i can just find out when everything goes south
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40523978
All you need to do for tests is to plug off the primary ASA from your LAN ;-).
0
 
LVL 3

Author Comment

by:Shark Attack
ID: 40524031
and update my resume
0

Featured Post

Database Solutions Engineer FAQs

In this series, we will discuss common questions received as a database Solutions Engineer at Percona. In this role, we speak with a wide array of MySQL and MongoDB users responsible for both extremely large and complex environments to smaller single-server environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses
Course of the Month10 days, 17 hours left to enroll

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question