[c-nsp] ASA IPsec Tunnel Failover

[David Prall]

IKE Keepalives and Reverse Route Injection are typical solutions for routers
with IPSec tunnels. I see that both are supported on the ASA. With RRI, the
route is installed only when the IPSec tunnel is up. I think IKE Keepalives
and using two peer's within a single crypto-map will handle this correctly.
When the first peer fails, the second peer will be established and the route
will be installed to use the second peer address via RRI.

David

--
http://dcp.dcptech.com
 

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Nick Griffin
> Sent: Tuesday, July 14, 2009 2:21 PM
> To: Munoz, Jeff
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ASA IPsec Tunnel Failover
> 
> Do you have any routers/layer 3 devices on the inside of the firewalls,
> the
> weighted GRE tunnels always work well for this.
> 
> On Mon, Jul 13, 2009 at 3:14 PM, Munoz, Jeff <Jeff.Munoz at swinc.com>
> wrote:
> 
> > Hey guys, I have two main sites (site A and site B) and one remote
> site
> > (site C).  Sites A and B have a metroethernet connection between
> them.
> >  Remote site C has an IPsec tunnel back to site A.  I'd like to setup
> > failover so in case site A's ASA is down the remote site C ASA sends
> the
> > interesting traffic down the site B IPsec tunnel.  Unfortunately, it
> will
> > always match the tunnel to site A since the phase 2 access lists have
> the
> > same source/destinations.  Any ideas on how I can do this?
> >
> > Thanks!
> >
> > Jeff
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/