IPSec btw single ASA and 2 ASAs connected to different ISPs

Unanswered Question
Jul 11th, 2007

Hi all,

the scenario as following, I have two sites assuming (A & B) in site A I have one ASA and in site B I have two ASAs serve the same internal network segments (VLANs) but each connected to different ISP from the outside interface point of view. the plan to establish IPSec tunnel btw the two sites and here the question raised, how could we configure the two ASAs in site B to be in failover only for IPSec tunnels !! or let me phrase me question in different way, how could we manage to configure a single ASA to establish IPSec tunnels with two stand alone ASAs in case the 1st one failed the other take over the responsibility to act as IPSec termination point !!

Appreciate your coordination in advanced..

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Jon Marshall Wed, 07/11/2007 - 03:27


The simplest thing to do would be to replicate you rconfiguration between the 2 standalone ASA devices and then on the single Asa under the crypto map settings you can enter 2 peer statements eg.

crypto map vpn-set 1 set peer "first ASA IP address"

crypto map vpn-set 1 set peer "second ASA IP address"

The ASA will try the peers in order.



balsheikh Sat, 07/14/2007 - 02:05


To accomplish the task of setting the VPN at both sites to answer only, is it required further configuration than normal VPN IPSec parameters !!

I'm newbie to ping scribt, could u plz shed more light on this, if u have sample this will be high appreciated.



To set it to originate/answer only, use the following crypto map lines..

crypto map outside_map 20 set connection-type originate-only

crypto map outside_map 20 set connection-type answer-only

For the ping script, you may have to look on line or make it via Perl. (can't really help with that)..

***********PLEASE RATE******************



amitbatra Mon, 07/16/2007 - 14:33

hi guys,

well if possible upgrade to 8.0 this will help you alot. because this was the bug or u can say limitation of 7.2 IOS in PIX or ASA u cannot specify 2 peer. or in other words backup peer for VPN. in 7.2(22) interim release this was fixed. u dont need to specify originate-only.

but 7.2(22) has some problems with remote-access VPN. u think of 8.0 which is good . and will help u in what u wanna achieve.

and in this type of VPN connectivity. diable the PFS.

hope this helps you.



So you are telling me(us) that the need to use originate-only on multiple peer crypto maps (backup peer) has been totally eliminated in 7.2(22) ? If so, then it would seem it's closer to old pix 6.3(5) code which worked(s) like a charm.

And if this is true, this would mean could run bi-directional in this scenario. That would be great !

amitbatra Tue, 08/07/2007 - 16:30


yes my friend JOE. after 7.2(22) and 8.x works like 6.3(5) .

u can run bi-directional. no problems at all. i have tested that and working in my network.


This Discussion