Redundant VPN design using two ISP's and an ASA5510-FO - Is it possible?

Unanswered Question
Feb 16th, 2007


I need help with a design for a customer. We are looking to provide site-to-site VPNs with C85x Series at the remote sites and a redundant pair of ASA?s at the central site.

The complication is that the customer wishes to have resilient internet links at the central site; these two links which each have different public IPs. Should either link fail the VPN?s must work via the other link.

Is this configuration possible and if so how can it be done?

Any help or experience you may have would be appreciated.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kamal Malhotra Fri, 02/16/2007 - 15:09

What I have understood is this :

-----ASA (Primary)

/ /

Router ---- Internet ------ (Failover)

\ \

-----ASA (Secondary

This means that the ASAs are in failover and they have two internet connections (with different public IP). We want if one of the link fails, it should fall back to the other link. It is possible. You need to configure 2 peer IP addresses on the routers and second default gateway on the ASA with higher AD pointing to the backup link.

Please revert to me for clarifications.



kaachary Sun, 02/18/2007 - 05:59


On ASA, you can use floating static routes, let's say remote network is 10.10.10.x

route outside 10.10.10.x ----------This wud be your primary link.

route outside 10.10.10.x 2 ------Back up link.

On Router :

you have to create the crypto map with peers.

crypto map mymap 1 ipsec-isakmp

set peer x.x.x.x

set peer y.y.y.y




Kamal Malhotra Sun, 02/18/2007 - 22:57

Hi Chris,

As mentioned earlier, please add a secondary default route rather than a specific route for the remote network as it will cause internet connectivity issues when the primary link fails.



ccpagel Mon, 02/19/2007 - 01:14

Hi Kamal,

How would you configure the ASA in this senario i.e. how do I configure two outside interfaces? Can you apply a secondary IP address to the outside interface (as you can on a router) or would I need to use a second ethernet port on the ASA and configure a public IP on each (one from each ISP) and configure default routes out on both?

How would the ASA know that the default route was no longer there if one of the two DSL's failed? As the ethernet to the DSL router would still be up and therefore the ASA would still see it as available? I guess I could get around this by using a dynamic routing protocol.



Kamal Malhotra Mon, 02/19/2007 - 09:47

Hi Chris,

You will need to use another interface. You might also use a subinterface (a logical interface) and assign the IP addresses accordingly but for that you need to remove the IP address from the main interface and create two subinterfaces and assign the IP addresses on the subinterfaces. Then you define the two default routes (ofcourse one with a higher AD). Needless to mention that the physical interface will be physically connected to a switch that connects to both the ISPs. But if you have another physical interface available, I would recommend using it rather than going for the subinterfaces.

Secondly, the ASA will know only in the case the link on primary interface goes down. If there is some connectivity issue ahead of it, then the ASA will not know about it and will not fall back.


Please do rate if it helps. :-)




This Discussion