VPN Failover Question

abhustlerabhustler Member Posts: 49 ■■□□□□□□□□
in CCNP
I have what I thought was a simple task but i am having trouble figuring out how to implement it. I currently have a cisco 5510 connected to an internet router and a MPLS router. The MPLS connection is new and we previously communicated with our branch office subnets through a vpn tunnel i have configured on the ASA. Now that we are getting a MPLS connection traffic destined for the branch subnets will go through the MPLS connection. However I still want to keep the VPN as a failover in the event MPLS fails. I'm just not sure how I can tell the ASA to use the vpn only if the MPLS connection is down. Does anyone know if i have both a vpn connection and static routes for the same remote subnets pointing to my MPLS router will the ASA prefer the static routes and only use the vpn if the routes are not in the table? Any information would be appreciated.
A master at anything was once a beginner
· Share on FacebookShare on Twitter

Comments

  • jason_lundejason_lunde Member Posts: 567
    Ya dude. Just use the interface tracking feature. Drop the static route if its down..and let it just use the default. Leave your NAT statements in the ASA for the tunnel...it should see interesting traffic and use the tunnel if that primary route is down...I am pretty sure routing comes before nat in ASA order of ops.
    · Share on FacebookShare on Twitter
  • chrisonechrisone Member Posts: 2,278 ■■■■■■■■■□
    Yeah definitely use tracked routes
    Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
    2025 Cert Goals: AWS Sec SCS-C02
    · Share on FacebookShare on Twitter
  • mzbagasramzbagasra Member Posts: 32 ■■□□□□□□□□
    What is interface tracking feature?
    · Share on FacebookShare on Twitter
  • jason_lundejason_lunde Member Posts: 567
    mzbagasra wrote: »
    What is interface tracking feature?

    ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example - Cisco Systems
    · Share on FacebookShare on Twitter
  • burbankmarcburbankmarc Member Posts: 460
    I have this exact same setup, but I handle the VPN connections on the routers connected to the internet. This way I can create gre tunnels and either inject static routes into OSPF, or add the VPN connection into OSPF.
    · Share on FacebookShare on Twitter
  • mrblackmamba343mrblackmamba343 Inactive Imported Users Posts: 136
    GRE Tunnels over the IPSEC

    use a routing protocol to pick the best path, which I assume will be the MPLS
    · Share on FacebookShare on Twitter
  • APAAPA Member Posts: 959
    burbankmarc wrote: »
    I have this exact same setup, but I handle the VPN connections on the routers connected to the internet. This way I can create gre tunnels and either inject static routes into OSPF, or add the VPN connection into OSPF.

    +1 - I was going to suggest this.... however burbank already covered it..... Let a routing protocol make the decision... have a higher metric on the GRE routing-protocols adjacency over the IPSec VPN.

    Thus MPLS VPN will always be preferred unless it is down....

    If its not possible to deploy this... then tracked routes would be the way to go...
    jason_lunde wrote:
    I am pretty sure routing comes before nat in ASA order of ops.

    That is correct... for egress traffic NAT is after routing.... for ingress traffic to the ASA NAT is before routing..
    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
    · Share on FacebookShare on Twitter
Sign In or Register to comment.