Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki -> ASA VPN with Failover

Isam
New here
‎Feb 1 2018 6:43 AM
‎Feb 1 2018 6:43 AM

Meraki -> ASA VPN with Failover

We have a virtual Meraki MX device in an AWS VPC, connecting back to our primary office's ASA over an IPSec tunnel.

Our office has a backup fibre line for instances where our primary line goes down, and as such the ASA has two public facing IP addresses. I can't seem to see a way to configure a backup IP address for the ASA end of the tunnel in the Meraki interface to enable this tunnel to failover automatically, and I can't simply set up two tunnels because they'll both be routing the same /16 subnet.

Is it possible to configure a failover situation like this so that when our primary line goes down the tunnel will switchover to the failover peer address?

Subscribe
3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 1 2018 11:44 AM
‎Feb 1 2018 11:44 AM

I can't think of a way you could make this work.  This is also a very unusual configuration.  You normally use a vMX with a physical on-premise MX.

 

I would strongly suggest you consider getting an on premise MX to terminate the VPN, even if you keep the ASA.

Subscribe
In response to PhilipDAth
CameronGoS
Conversationalist
‎Mar 6 2019 4:18 AM
‎Mar 6 2019 4:18 AM

This is an old thread, but I'm now running into the same issue.  I disagree with the statement this is an unusual configuration since it has been a standard configuration in other Cisco firewalls for as long as I can remember.  In an ASA as an example, you simply configure your phase 2 with something like the following:

crypto map outside-vpn-map 999 set peer 104.129.206.38 165.225.0.42

This really is an important feature for the Meraki if it is going to be a viable replacement for other firewall products.  We use a tunnel like this to route traffic through a DLP vendor and since the Meraki firewall replacement, there is now no fault tolerance in the VPN tunnel on the vendor side.

 

This kind of thing and lack of support for IKEv2 in the VPN tunnels is really disappointing for anyone trying to move to Meraki from other more traditional firewall and networking gear.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.