dead-peer detection in lan-lan IPSec tunnels between pixes or asas

Unanswered Question
May 11th, 2007
User Badges:

We have a site which wants to connect back to our main office from an ASA running v7.2 via two different IPSec tunnels - one on the ASA's outside interface and one on its dmz. They want to set it up so that if the tunnel on the outside interface goes down, traffic will automatically reroute through the tunnel on the dmz. The equipment on the other end (the main office) is a Pix 525 running v7.2.

One of my coworkers said this could be done using dead-peer detection, but had no details on how to set it up. Can anyone point me to a document that shows how to configure this? I have so far been unable to find one on

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mrouch Fri, 05/11/2007 - 06:38
User Badges:

Thanks. What I also need is a link showing an example of how to set up failover between two IPSec tunnels on different interfaces using DPD. That is what I have so far been unable to locate. Does anyone have a link for that?

acomiskey Fri, 05/11/2007 - 07:24
User Badges:
  • Green, 3000 points or more

I have always used dpd for a remote site with 2 peers and 1 interface, not 1 peer and 2 interfaces. If the remote site lost contact with first peer it will move to the next peer in the list. But making the ASA route to a particular peer depending upon whether it is alive or not sounds like another story.

It sounds to me like the new "Backup ISP" option of ASA 7.2, or object tracking in the IOS world, is what you are looking for. You could have a specific route to the peer on the outside interface dependant upon whether it could ping the peer. If it could not it would put in the floating static route which would route to that peer out the DMZ interface, therefore bringing up the tunnel. I'm not saying it's not possible with dpd specifically, I just don't know anything about it, maybe someone else can chime in on that.


This Discussion