1

I have a number of remote sites connecting back to head office via Cisco ASA 5505s and Cisco PIX 506es. At head office we have an old Cisco 3000 VPN Concentrator, and a new Cisco ASA 5510.

The remote sites use Easy VPN to connect (so they show up as Remote Access sessions, not Lan2Lan).

I am in the process of migrating the remote devices to connect to the new 5510. I can have multiple VPN Servers in the config for failover, so I am adding the VPN Concentrator there. However, at the head office end, we currently have static routes set up to direct traffic for our remote subnets to either the 5510 or VPN Concentrator. This means that in a failover situation, manual intervention would be required to update the routes at head office.

We have Dell PowerConnect 6248s as core switches at head office - all the routing is configured on there at present. I'd like to get some kind of failover routing in place so if I take the ASA 5510 down for any reason, the connections still work. The endpoints can handle this failover, but the routing is currently all static. How can I achieve this?

dunxd
  • 9,482
  • 21
  • 80
  • 117

2 Answers2

1

If possible, go to dynamic routing. Given the right physical setup, using static routes with different metrics will give you decent fail-over behaviour.

A router normally doesn't track reachability for next hops, it tracks "interface up" or "interface down" and if at least one interface that is a suitable egress for a given next hop is "up", the next hop is considered reachable. At that point, the only thing that would cause packets not to be sent to a next hop, up or down, is that there's no ARP resolution and as ARP requests are usually cached for quite a while (Cisco default is, I believe, 4 hours), you may be in for a long wait.

In "Cisco-land", using static routes with different (administrative) distances is called "floating statics" and are usually used for fail-over from a serial link to another link, as the serial link is (usually) point-to-point (may not be the case, if you're using FR or other serial link protocols able to provide multi-point) and has enough signaling to be able to flag "other end is unreachable (unlike, say, most "metro Ethernet", where there's usually multiple L2 hops between the two L3 end-points, so a break somewhere in the transmission path is usually not visible as a downed interface).

So, in short, if you can arrange that your 5510 is connected on a dedicated switch-port, with a /30 network, on a single core switch and the 5510 will NOT cause the switch-port on the core switch to signal as up when the 5510 is switched off (or you're willing to take the time-hit of someone to have to either modify the routing or unplug the cable), floating statics may be exactly all you need. Well worth investigating, but I'd probably look into configuring dynamic routing, at least for the VPN routes.

Vatine
  • 5,390
  • 23
  • 24
  • So if I were to opt for dynamic routing, which type would be simplest to set up? Will RIP or OSPF do this for us? The reason we have been using static routing is that our network is very much a hub spoke affair, with redundancy achieved in different ways, and very few alternative routes. – dunxd Sep 15 '10 at 06:10
  • OSPF is probably a better choice. – wolfgangsz Sep 15 '10 at 08:19
  • OSPF or RIP would probably both do. Of those, I'd pick OSPF, since RIP (while useful in some situations) is kinda slow and has interesting corner cases. – Vatine Sep 15 '10 at 09:36
0

If your PowerConnect switches support this, then they should show a "metric" number in the routing tables. Sometimes this is also referred to as "distance" or "administrative distance". Whatever the name for it is, this figure is an indicator for the router how close or direct that route is. The higher the number, the longer the route.

If you want to set up failover routes, then you need to add routes for the target subnet that go through a different gateway (in your case the "backup" VPN Server) with a higher metric. These backup routes will be used when other routes with lower metrics are unavailable (e.g. when the relevant gateway cannot be reached).

wolfgangsz
  • 8,767
  • 3
  • 29
  • 34
  • PowerConnect switch does support this. So if I put the route via the ASA with a metric of 10 and the VPN Concentrator with 1, then when the ASA is up, the traffic will be routed to the ASA, and if it is down, it will go to the VPN Concentrator? I didn't think it would be that easy. – dunxd Sep 14 '10 at 21:02
  • No, the other way around. The routes with the lowest metrics are considered "shortest" or "closest" and will therefore be tried first, and if not available, the route with the next higher metric will be tried, until no more routes are available. – wolfgangsz Sep 14 '10 at 23:29
  • Also bear in mind that it is not always simple for a device to know that "the next hop" is down. If it's on a dedicated L3 port, unplugging the cable is a clear indication to the device that the next hop is unreachable, but if it's part of a /24, you're essentially trusting ARP timeouts to be fast enough (unless, of course, you have dynamic routing in place for the "next hop", but then you may as well go full dynamic routing). – Vatine Sep 15 '10 at 00:02