VPN Failover Question

abhustlerabhustler Member Posts: 49 ■■□□□□□□□□
I have what I thought was a simple task but i am having trouble figuring out how to implement it. I currently have a cisco 5510 connected to an internet router and a MPLS router. The MPLS connection is new and we previously communicated with our branch office subnets through a vpn tunnel i have configured on the ASA. Now that we are getting a MPLS connection traffic destined for the branch subnets will go through the MPLS connection. However I still want to keep the VPN as a failover in the event MPLS fails. I'm just not sure how I can tell the ASA to use the vpn only if the MPLS connection is down. Does anyone know if i have both a vpn connection and static routes for the same remote subnets pointing to my MPLS router will the ASA prefer the static routes and only use the vpn if the routes are not in the table? Any information would be appreciated.
A master at anything was once a beginner

Comments

  • jason_lundejason_lunde Member Posts: 567
    Ya dude. Just use the interface tracking feature. Drop the static route if its down..and let it just use the default. Leave your NAT statements in the ASA for the tunnel...it should see interesting traffic and use the tunnel if that primary route is down...I am pretty sure routing comes before nat in ASA order of ops.
  • chrisonechrisone Senior Member Member Posts: 2,253 ■■■■■■■■■□
    Yeah definitely use tracked routes
    Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2022 Goals:
    Certs: EnCE (cert obtained), SC-300 (in progress), AZ-500, SC-100, SPLK-1003
    Course: BC Security - Empire Operations 1 (completed), Zero Point Security - CRTO (course completed)
  • mzbagasramzbagasra Member Posts: 32 ■■□□□□□□□□
    What is interface tracking feature?
  • burbankmarcburbankmarc Member Posts: 460
    I have this exact same setup, but I handle the VPN connections on the routers connected to the internet. This way I can create gre tunnels and either inject static routes into OSPF, or add the VPN connection into OSPF.
  • mrblackmamba343mrblackmamba343 Inactive Imported Users Posts: 136
    GRE Tunnels over the IPSEC

    use a routing protocol to pick the best path, which I assume will be the MPLS
  • APAAPA Member Posts: 959
    I have this exact same setup, but I handle the VPN connections on the routers connected to the internet. This way I can create gre tunnels and either inject static routes into OSPF, or add the VPN connection into OSPF.

    +1 - I was going to suggest this.... however burbank already covered it..... Let a routing protocol make the decision... have a higher metric on the GRE routing-protocols adjacency over the IPSec VPN.

    Thus MPLS VPN will always be preferred unless it is down....

    If its not possible to deploy this... then tracked routes would be the way to go...
    I am pretty sure routing comes before nat in ASA order of ops.

    That is correct... for egress traffic NAT is after routing.... for ingress traffic to the ASA NAT is before routing..

    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
Sign In or Register to comment.