tdlr is at bottom.
So I have a hub and spoke network. On the branch side, there is one ASA 5505 or 5506, with a static IPSec VPN to the data center, which has two ASA 5520's; One connected to ISP1 and the other connected to ISP2. Those two data center ASA 5520's connect to a layer 3 core switch at the data center running EIGRP. On the layer 3 core switch, there are static routes to the subnets of the branches, pointing to whichever ASA 5520 concentrates the VPN to that particular branch. This is obviously a problem if one of the data center circuits goes down, because it means I need to manually move the VPN over to the data center ASA 5520 that has the surviving circuit, and rebuild the VPN tunnel on the branch side to get them back up, ad nauseam. I need a way to automate this so that if one of the data center circuits goes down, all of the tunnels fail over to the surviving data center ASA/ISP circuit without manual intervention.
What has been suggested to me is RRI. Basically, on the branch side, you set a second peer IP on the IPSec VPN crypto map (1st: DC ISP1 peer, 2nd DC ISP2 peer). Then, you set reverse-route on the DC side ASA crypto map for that branch, which injects a static route into the DC, which you then redistribute into your IGP on the ASA. The end result is SUPPOSED to be that your IGP will learn of the branch's subnet dynamically through the reverse route on whichever ASA is currently holding the active VPN, which eliminates the need for static routing to the branch on the DC core switch, and that is supposed to facilitate the failover automation.
This is not what happens. What happens is once the reverse route is injected on the DC ASA, the IGP learns about the branch subnet regardless whether or not the VPN is up or not, so the core switch ends up installing two equal cost routes into the IGP, which breaks the branch. To circumvent that, what I tried instead to do is only set a reverse route on ONE of the DC ASA's for a particular branch and redistribute it into EIGRP, and on the other DC ASA, I do not set a reverse-route, but rather, set a floating static route on the core switch at AD 240 for the branches subnet. The idea is that when all is well, EIGRP learns branch route at AD 170 via the DC ASA where the reverse route is set, and if it loses the VPN for any reason, that EIGRP 170 route goes away on the core switch, and it installs the floating static route at AD 240 to build the VPN via the other DC ASA. Once the main VPN is available again, EIGRP reroutes to the 170 route and everything falls back.
Doesn't work. The reverse route gets injected into EIGRP on the primary DC ASA regardless if the VPN is up or not, so the end result is the core switch always thinks the EIGRP 170 route is valid and failover doesn't happen.
Am I doing something wrong or does this just suck?
tldr; Setting a reverse route on the data center ASA and redistributing it into IGP injects the static route for the branch into the core switch regardless whether the VPN is up or not, and fail-over does not occur because core switch always thinks the route is valid.
No comments:
Post a Comment