One more thought. What about setting up two crypto-map-based tunnels with
dynamic routing on it preferring the nearest site?
Regards,
Piotr
-----Original Message-----
From: Joe Astorino
Sent: Monday, May 14, 2012 11:55 PM
To: Piotr Matusiak
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] DPD preemption?
Sounds like the best option is to continue to use VTI with routers at
remote sites terminating to routers at the head end. A shame the ASA
is not a bit more versatile in it's capabilities : (
On Mon, May 14, 2012 at 4:47 PM, Piotr Matusiak <[email protected]> wrote:
Hi Joe,
EEM is the option for you. I don't recall any other option now.
Regards,
Piotr
-----Original Message----- From: Joe Astorino
Sent: Monday, May 14, 2012 9:02 PM
To: Mohamed Gazzaz
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] DPD preemption?
I appreciate that, but I have indeed read all those papers. HSRP and
SSO do not help me because the primary ASA is in Michigan and the
secondary ASA is in London, UK.
The goals is to have a remote site router closer to the US have a
primary IPSEC connection to the Michigan ASA and a backup IPSEC
connection to the London ASA, while a site closer to Europe would be
the opposite. The remote site routers have only a single internet
connection. Today it works because instead of an ASA at the head ends
I have IOS routers with VTI interfaces, and thus I run BGP which takes
care of things. I am looking for a simpler design and to utilize the
ASAs instead.
On Mon, May 14, 2012 at 2:24 PM, Mohamed Gazzaz <[email protected]>
wrote:
Hi Joe,
Please have a look at the following links (They might give you an idea)
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/white_paper_c11_472859.html
https://supportforums.cisco.com/community/netpro/security/vpn/blog/2011/04/25/ipsec-vpn-redundancy-failover-over-redundant-isp-links
http://blog.ine.com/2008/11/06/ipsec-vpn-high-availability-with-hsrp/
Regards,
Mohamed Gazzaz
Date: Mon, 14 May 2012 12:57:56 -0400
From: [email protected]
To: [email protected]
Subject: [OSL | CCIE_Security] DPD preemption?
Hello,
I am working on a design trying to accomplish the following: I have
two ASA's that need to terminate L2L IPSEC tunnels to some remote
sites but they are in different regions of the world. The idea is
that a remote site will have a tunnel to the ASA closest to the site,
and a backup tunnel to the other. I believe I can accomplish this by
having a crypto map on the remote router with two "set peer" commands
on the same crypto map line. It looks like dead peer detection will
detect if the primary link goes down and failover to the secondary,
but I don't see a way to make it recover after the primary comes back
up. Is there a way to accomplish that?
I would want it to fail back over to the primary because the primary
will be geographically closer and yield better response times.
Is there a better way to do something like this?
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
"He not busy being born is busy dying" - Dylan
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
"He not busy being born is busy dying" - Dylan
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
"He not busy being born is busy dying" - Dylan
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
