top of page
Writer's pictureAaron Magruder

Cisco EZVPN Dual Tunnel Dual ISP


Cisco EZVPN Server / Client allows you to turn any Cisco router or ASA into a VPN Client that allows a remote office to connect every devices back to the data center w/o creating manual IPSec VPN Tunnels.

Cisco has support for Dual Tunnel EZVPN client so that the client can connect to two different Data Centers but only if those two Data Centers advertise out their specific subnets. We'll that doesn't help if Data Center A's Internet goes down and you need the remote client to connect through Data Center B to get back to Data Center A over the backbone connection between the Data Centers.

Adding a second ISP at the remote site further complicates the design. You can not apply the same EZVPN profile to two outside interfaces but you can create a second EZVPN profile to apply to the second ISP. In doing this, both ISP Interfaces try to establish EZVPN tunnels back to each Data Center and causes the VPN to disconnect repeatedly.

The solution is to use Cisco Embedded Event Manager.

1. Use IP SLA to track the upstream router on the Primary ISP. 2. Create a Track. 3. Use floating static routes using the Track to failover to the Secondary ISP. 4. Use the same Track Down to cause EEM to remove the EZVPN profile from the Primary ISP to the Secondary ISP Interface. 5. Use the same Track Up Status to cause EEM to move the EZVPN profile back to the Primary ISP.

track 2 ip sla 2 reachability delay down 16 up 31 ! ip sla 2 icmp-echo 4.2.2.2 source-interface FastEthernet4 threshold 3000 frequency 5 ip sla schedule 2 life forever start-time now ! ip route 0.0.0.0 0.0.0.0 x.x.x.x track 2 - Primary ISP ip route 0.0.0.0 0.0.0.0 x.x.x.x 250 - Secondary ISP ! event manager applet EZVPN-Primary-Up description Move EZVPN Profile to Primary ISP event track 2 state up action 0.0 cli command "enable" action 1.0 cli command "conf t" action 1.1 cli command "int vlan 2" action 1.2 cli command "no crypto ipsec client ezvpn EZVPN" action 2.0 cli command "int f4" action 2.1 cli command "crypto ipsec client ezvpn EZVPN" event manager applet EZVPN-Primary-Down description Move EZVPN Profile to Secondary ISP event track 2 state down action 0.0 cli command "enable" action 1.0 cli command "conf t" action 1.1 cli command "int f4" action 1.2 cli command "no crypto ipsec client ezvpn EZVPN" action 2.0 cli command "int vlan 2" action 2.1 cli command "crypto ipsec client ezvpn EZVPN"

288 views0 comments
bottom of page