Guide to VPN Failover With An MX to ASA?

Solved
steakandeggs
Here to help

Guide to VPN Failover With An MX to ASA?

Has anyone worked up a guide to configuring VPN failover from WAN 1 to WAN 2 where the other end is an ASA? On the MX the configuration should be trivial, but on the ASA side it might be a bit more involved. Haven't found anything here or in the Cisco Community on the topic that goes into specifics.

 

Also, does the MX support stateful failover for VPN traffic going to third party endpoints? For example, would TCP sessions and NAT translations be capable of being immediately reassigned to the VPN tunnel on WAN 2, without the need for the endpoints to restart whatever sessions they're running?

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

You can only do it using IKEv1.  Cisco removed the functionality for IKEv2.

 

All you do on the "set peer" line is add a second IP address - your WAN2 IP address.

https://community.cisco.com/t5/vpn/backup-peer-ip-configuration-on-site-to-site-vpn-between-asa/td-p... 

 

Thinking about it more, you could use IKEv2, but put the ASA into responder mode only (so it won't attempt to build the VPN), and authenticate based on an identify presented by IKEv2 on the MX.

 

Search for "remote id" in this article:

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings 

View solution in original post

1 Reply 1
PhilipDAth
Kind of a big deal
Kind of a big deal

You can only do it using IKEv1.  Cisco removed the functionality for IKEv2.

 

All you do on the "set peer" line is add a second IP address - your WAN2 IP address.

https://community.cisco.com/t5/vpn/backup-peer-ip-configuration-on-site-to-site-vpn-between-asa/td-p... 

 

Thinking about it more, you could use IKEv2, but put the ASA into responder mode only (so it won't attempt to build the VPN), and authenticate based on an identify presented by IKEv2 on the MX.

 

Search for "remote id" in this article:

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels