Cisco – Fail-over VPN with two ISPs and Cisco ASA 5500 Series

ciscocisco-asafailoverispvpn

We have a couple of branch offices that need to connect to a main site.
We plan to use Cisco ASAs 5515 to establish VPN connections. We would also like to have 2 ISPs at each location to make the connection redundant. Here is the image:
enter image description here

I am a bit new to ASAs so far, so my question is "Is it possible to set up ASA 5515 to use 2 ISPs to have VPN connection with a remote site and in case of the main ISP's failure switch over to backup ISP automatically and then to return back to the main one when the link is reestablished ?"

Best Answer

Yes it is possible, all you have to do is enable isakmp on the both outside interfaces of the redundant ISP ASA with

crypto isakmp enable <outside interface name>
crypto isakmp enable <backup interface name>

and then on the ISP C ASA change your crypto map statement to:

crypto map outside_map <crypto map no> set peer <ISP A IP> <ISP B IP>

That will allow a failover if ISP A is down. When the tunnel is renegotiated and ISP A is available the tunnel will fail back.

Related Solutions

Cisco ASA 5505 – L2TP over IPsec

Can you post the output of your log while trying to establish a vpn connection at the debugging level? (in the asdm go to Monitoring -> Logging -> set logging level to debug in the drop down -> click view)

Also unless there is a compelling reason to stay at 7.2(4) I would upgrade to the latest 8.x release. The 7.2 series had some pretty major issues.

EDIT

That error means that the interface the incoming vpn is setup on doesn't have a crypto-map applied.

if you were following the instructions there, you probably applied the crypto map like this:

crypto map outside_map interface outside

if you are testing on the same lan you would need to do this:

crypto map outside_map interface inside

Ugly i know but it'll let you test, then remove from the inside interface and you are good to go.

If that doesn't work, would you be willing put post your running config?

EDIT 2:

Ok, lets simplify this config a little. Try disconnecting the XP machine from the ASA. And also remove the 192.168.1.1 ip address and DHCP pool from the ASA. Then try to connect via the vpn.

Cisco ASA – VPN and Hairpinning

Take a look to this page. It provides a good example of what you want to take. As described at the end of the Background Information part, the interesting command is same-security-traffic so that you can allow site1 to exchange data with site3
There is another example here (a bit more clear may be)

Best Answer

Related Solutions

Cisco ASA 5505 – L2TP over IPsec

Cisco ASA – VPN and Hairpinning

Related Topic