redundant vpn tunnels?

Unanswered Question
Aug 7th, 2007
User Badges:

So I may have done something wrong or I just dont understand this.

We have an ASA 5520 at our Datacenter which has one link to the internet. We all so have remote offices with 2 ISP's one primary and one backup each with diff IP address. I setup vpn tunnels between the them (asa 5505/5510 in the remotes).

What I want to do is having a backup tunnel dial out if the outside interface fails. I use IP SLA to track the t1 and if it goes down fail over to DSL. This works, but I tried every way I can think of to move the tunnel and it just plane fails.

I called TAC and they said try using the set connection-type command, use originate-only at the datacenter and answer-only on the remote site. The tunnel does come if we are using the outside interface but if we fail over the ASA in the remote office the DC keep trying only one IP (the outside int of remote office). I cant for the life of me figure this out. TAC gave up and closed the call.

Anyone know why?

We have 5520 at the DC running 7.0.5, remotes are all 7.22.

any help would be great


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Wed, 08/08/2007 - 04:49
User Badges:
  • Green, 3000 points or more

Could you post a config please?

You must run isakmp keepalive for this as well.


This Discussion