I have a number of remote sites connecting back to head office via Cisco ASA 5505s and Cisco PIX 506es. At head office we have an old Cisco 3000 VPN Concentrator, and a new Cisco ASA 5510.
The remote sites use Easy VPN to connect (so they show up as Remote Access sessions, not Lan2Lan).
I am in the process of migrating the remote devices to connect to the new 5510. I can have multiple VPN Servers in the config for failover, so I am adding the VPN Concentrator there. However, at the head office end, we currently have static routes set up to direct traffic for our remote subnets to either the 5510 or VPN Concentrator. This means that in a failover situation, manual intervention would be required to update the routes at head office.
We have Dell PowerConnect 6248s as core switches at head office – all the routing is configured on there at present. I'd like to get some kind of failover routing in place so if I take the ASA 5510 down for any reason, the connections still work. The endpoints can handle this failover, but the routing is currently all static. How can I achieve this?
Best Answer
If possible, go to dynamic routing. Given the right physical setup, using static routes with different metrics will give you decent fail-over behaviour.
A router normally doesn't track reachability for next hops, it tracks "interface up" or "interface down" and if at least one interface that is a suitable egress for a given next hop is "up", the next hop is considered reachable. At that point, the only thing that would cause packets not to be sent to a next hop, up or down, is that there's no ARP resolution and as ARP requests are usually cached for quite a while (Cisco default is, I believe, 4 hours), you may be in for a long wait.
In "Cisco-land", using static routes with different (administrative) distances is called "floating statics" and are usually used for fail-over from a serial link to another link, as the serial link is (usually) point-to-point (may not be the case, if you're using FR or other serial link protocols able to provide multi-point) and has enough signaling to be able to flag "other end is unreachable (unlike, say, most "metro Ethernet", where there's usually multiple L2 hops between the two L3 end-points, so a break somewhere in the transmission path is usually not visible as a downed interface).
So, in short, if you can arrange that your 5510 is connected on a dedicated switch-port, with a /30 network, on a single core switch and the 5510 will NOT cause the switch-port on the core switch to signal as up when the 5510 is switched off (or you're willing to take the time-hit of someone to have to either modify the routing or unplug the cable), floating statics may be exactly all you need. Well worth investigating, but I'd probably look into configuring dynamic routing, at least for the VPN routes.