I would say that with ASA you'll put yourself into a limited situation. No support for dynamic routing over IPSec and no way to make a pre-emption to the more preferred peer.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Joe Astorino Sent: Monday, May 14, 2012 12:02 PM To: Mohamed Gazzaz Cc: [email protected] Subject: Re: [OSL | CCIE_Security] DPD preemption? I appreciate that, but I have indeed read all those papers. HSRP and SSO do not help me because the primary ASA is in Michigan and the secondary ASA is in London, UK. The goals is to have a remote site router closer to the US have a primary IPSEC connection to the Michigan ASA and a backup IPSEC connection to the London ASA, while a site closer to Europe would be the opposite. The remote site routers have only a single internet connection. Today it works because instead of an ASA at the head ends I have IOS routers with VTI interfaces, and thus I run BGP which takes care of things. I am looking for a simpler design and to utilize the ASAs instead. On Mon, May 14, 2012 at 2:24 PM, Mohamed Gazzaz <[email protected]> wrote: > Hi Joe, > > > Please have a look at the following links (They might give you an > idea) > > > > http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps66 > 35/white_paper_c11_472859.html > > > https://supportforums.cisco.com/community/netpro/security/vpn/blog/201 > 1/04/25/ipsec-vpn-redundancy-failover-over-redundant-isp-links > > > http://blog.ine.com/2008/11/06/ipsec-vpn-high-availability-with-hsrp/ > > > Regards, > Mohamed Gazzaz > >> Date: Mon, 14 May 2012 12:57:56 -0400 >> From: [email protected] >> To: [email protected] >> Subject: [OSL | CCIE_Security] DPD preemption? > >> >> Hello, >> >> I am working on a design trying to accomplish the following: I have >> two ASA's that need to terminate L2L IPSEC tunnels to some remote >> sites but they are in different regions of the world. The idea is >> that a remote site will have a tunnel to the ASA closest to the site, >> and a backup tunnel to the other. I believe I can accomplish this by >> having a crypto map on the remote router with two "set peer" commands >> on the same crypto map line. It looks like dead peer detection will >> detect if the primary link goes down and failover to the secondary, >> but I don't see a way to make it recover after the primary comes back >> up. Is there a way to accomplish that? >> >> I would want it to fail back over to the primary because the primary >> will be geographically closer and yield better response times. >> >> Is there a better way to do something like this? >> >> -- >> Regards, >> >> Joe Astorino >> CCIE #24347 >> http://astorinonetworks.com >> >> "He not busy being born is busy dying" - Dylan >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, >> please visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
