Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Failover

Status
Not open for further replies.
Dustinn3

Dustinn3

MIS
Joined
Oct 31, 2001
Messages
164
Location
US
I have an ASA 5510 at our main office. At our branch offices we have asa 5505's. Currently we have DSL connections at each branch, but we are adding T-1's to each office. I would like to setup the T-1's as the primary vpn connections and the DSL as a secondary vpn connection. Is there a way to make the vpn's failover? I know I can for the internet connections, but I'm clueless on the VPN tunnels.

Thanks,

Dustin

 
Sort by date Sort by votes
i am trying to do the same thing. Failover works to the backup connection, and the tunnel comes back up. The problem is failing back. The tunnel stats connected on the backup connection , but your asa sends traffice out of its primary interface causing phase 2 rekey errors. The only fix i've had is to do a clear ipsec sa. which kills the sa of the dsl line and lets the tunnel come back up on the primary. I would be interested to here about your experience with this setup.

Nick
 
Upvote 0 Downvote
that is the only way i know to fail it back. are you terminating to another ASA?
 
Upvote 0 Downvote
It took me a while, but I actually got mine to fail back automatically. I have two connections at each site, but at the main site I'm using both connections, one for internet and the other for vpn's. The vpn's can fail back to the internet connection if needed.

At the remote sites I setup the primary connection with a tracked ip. When it goes down it brings up the route to the other connection. As soon as the other connection comes back up it switches back to the other connection. What really threw me for a loop was I could access my main site just fine from the remote site, but I couldn't access my remote site from my main office over the new connection. I finally figured out I had to add a tracked route for the remote ip address range over the second interface. When it's up it sends the traffic over it and when it goes down it sends it back over the 1st interface. Otherwise even with the tunnel up on the new interface it was trying to send the traffic over the internet connection.

Additionally, on the ASA 5505's I found that you can't just enable a 3rd named interface. To do so you have to restrict access to the other outside interface and you have to name it from the command line.

Thanks for the help!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question Question
Cisco ASA - VPN Question
Replies
6
Views
1K
intel233
intel233
ISDPCMAN
  • Locked
  • Question Question
RDP fails over VPN
Replies
1
Views
514
gkittelson
gkittelson
Shmid
  • Locked
  • Question Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
416
WhosYourDiffie
WhosYourDiffie
ITSUPPORTIT
  • Locked
  • Question Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
325
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top