Sounds like the best option is to continue to use VTI with routers at remote sites terminating to routers at the head end. A shame the ASA is not a bit more versatile in it's capabilities : (
On Mon, May 14, 2012 at 4:47 PM, Piotr Matusiak <[email protected]> wrote: > Hi Joe, > > EEM is the option for you. I don't recall any other option now. > > Regards, > Piotr > > -----Original Message----- From: Joe Astorino > Sent: Monday, May 14, 2012 9:02 PM > To: Mohamed Gazzaz > Cc: [email protected] > Subject: Re: [OSL | CCIE_Security] DPD preemption? > > > I appreciate that, but I have indeed read all those papers. HSRP and > SSO do not help me because the primary ASA is in Michigan and the > secondary ASA is in London, UK. > > The goals is to have a remote site router closer to the US have a > primary IPSEC connection to the Michigan ASA and a backup IPSEC > connection to the London ASA, while a site closer to Europe would be > the opposite. The remote site routers have only a single internet > connection. Today it works because instead of an ASA at the head ends > I have IOS routers with VTI interfaces, and thus I run BGP which takes > care of things. I am looking for a simpler design and to utilize the > ASAs instead. > > On Mon, May 14, 2012 at 2:24 PM, Mohamed Gazzaz <[email protected]> wrote: >> >> Hi Joe, >> >> >> Please have a look at the following links (They might give you an idea) >> >> >> >> >> http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/white_paper_c11_472859.html >> >> >> >> https://supportforums.cisco.com/community/netpro/security/vpn/blog/2011/04/25/ipsec-vpn-redundancy-failover-over-redundant-isp-links >> >> >> http://blog.ine.com/2008/11/06/ipsec-vpn-high-availability-with-hsrp/ >> >> >> Regards, >> Mohamed Gazzaz >> >>> Date: Mon, 14 May 2012 12:57:56 -0400 >>> From: [email protected] >>> To: [email protected] >>> Subject: [OSL | CCIE_Security] DPD preemption? >> >> >>> >>> Hello, >>> >>> I am working on a design trying to accomplish the following: I have >>> two ASA's that need to terminate L2L IPSEC tunnels to some remote >>> sites but they are in different regions of the world. The idea is >>> that a remote site will have a tunnel to the ASA closest to the site, >>> and a backup tunnel to the other. I believe I can accomplish this by >>> having a crypto map on the remote router with two "set peer" commands >>> on the same crypto map line. It looks like dead peer detection will >>> detect if the primary link goes down and failover to the secondary, >>> but I don't see a way to make it recover after the primary comes back >>> up. Is there a way to accomplish that? >>> >>> I would want it to fail back over to the primary because the primary >>> will be geographically closer and yield better response times. >>> >>> Is there a better way to do something like this? >>> >>> -- >>> Regards, >>> >>> Joe Astorino >>> CCIE #24347 >>> http://astorinonetworks.com >>> >>> "He not busy being born is busy dying" - Dylan >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com > > > > > -- > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
