2

We have two sites that are joined by a VPN over two WAN links, one primary and one backup only. The VPN endpoints are a pair of active/standby ASA clusters at each site.

Each site also has multiple additional VPNs to minor sites, some of which are also dual path, again one primary and one backup only.

We have this working although it is not working well, i.e. I'm unable to create new VPNs to new remote sites as they come on line.

I've redesigned the setup but the design made use loopback interfaces, and I now know that ASAs don't support loopback interfaces. I've tried to workaround this by have a dummy sub-interface on the "redundant" interface that trunks the links to the WAN links. Needless to say, this hasn't been successful.

Has anyone else had this problem and have a solution that they can share?

Thanks

CC

user1174838
  • 616
  • 6
  • 18
  • Well, I was unable to come up with a solution that simulated a loopback interface. In the end, I deleted the single crypto map that used both interfaces and created two new crypto maps, each with a single interface. The failover is done via sla monitor to "prefer" the primary WAN link with a high admin distance default route to the secondary WAN link. Lastly, this has allowed the creation of new VPNs to remote sites which previously wasn't possible. – user1174838 Apr 06 '16 at 12:16

0 Answers0