Backup Site-to-Site Tunnel
In order to specify the connection type for the Backup Site-to-Site feature for this crypto map entry, use the crypto map set connection-type command in global configuration mode. Use the no form of this command in order to return to the default setting.
Syntax:
crypto map map-name seq-num set connection-type {answer-only | originate-only | bidirectional}
-
answer-only—This specifies that this peer only responds to inbound IKE connections first during the initial proprietary exchange in order to determine the appropriate peer to which to connect.
-
bidirectional—This specifies that this peer can accept and originate connections based on this crypto map entry. This is the default connection type for all Site-to-Site connections.
-
originate-only—This specifies that this peer initiates the first proprietary exchange in order to determine the appropriate peer to which to connect.
The crypto map set connection-type command specifies the connection types for the Backup LAN-to-LAN feature. It allows multiple backup peers to be specified at one end of the connection. This feature works only between these platforms:
-
Two Cisco ASA 5500 series security appliances
-
Cisco ASA 5500 series security appliance and a Cisco ××× 3000 Concentrator
-
Cisco ASA 5500 series security appliance and a security appliance that runs Cisco PIX Security Appliance Software version 7.0 or later
In order to configure a backup LAN-to-LAN connection, Cisco recommends that you configure one end of the connection as originate-only with the originate-only keyword, and the end with multiple backup peers as answer-only with the answer-only keyword. On the originate-only end, use the crypto map set peer command in order to order the priority of the peers. The originate-only security appliance attempts to negotiate with the first peer in the list. If that peer does not respond, the security appliance works its way down the list until either a peer responds or there are no more peers in the list.
When configured in this way, the originate-only peer initially attempts to establish a proprietary tunnel and negotiate with a peer. Thereafter, either peer can establish a normal LAN-to-LAN connection and data from either end can initiate the tunnel connection.
Note: If you configured ××× with multiple peer IP addresses for a crypto entry, the ××× gets established with the backup peer IP once the primary peer goes down. However, once the primary peer comes back, the ××× does not preempt to the primary IP address. You must manually delete the existing SA in order to reinitiate the ××× negotiation to switch it over to the primary IP address. As the conclusion says, the ××× preempt is not supported in the site-to-site tunnel.
Supported Backup LAN-to-LAN Connection Types
Remote Side |
Central Side |
---|---|
Originate-Only |
Answer-Only |
Bi-Directional |
Answer-Only |
Bi-Directional |
Bi-Directional |
Example
This example, entered in global configuration mode, configures the crypto map mymap and sets the connection-type to originate-only.
hostname(config)#crypto map outside_map 20 connection-type originate-only
Clear Security Associations (SAs)
In the privilege mode of the PIX, use the following the commands:
-
clear [crypto] ipsec sa—Deletes the active IPsec SAs. The keyword crypto is optional.
-
clear [crypto] isakmp sa—Deletes the active IKE SAs. The keyword crypto is optional.
-