Backup vpn tunnels

Unanswered Question
Aug 9th, 2007
User Badges:

Hi. We are using an ASA [failover pair] and tracking an interface so that we have Internet failover out a 2nd interface to another ISP. When the failover happens, we'd like the vpn tunnels to renegotiate using the backup internet interface to the 2nd ISP. IS this possible? THANKS!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smalkeric Thu, 08/16/2007 - 09:31
User Badges:
  • Silver, 250 points or more

I think you will have to do a NAT at some internet router in front of ASA when the traffic switched from primary to secondary (or when the primary fails), and remote ASA will have to point to two peer internet router. If one of the internet link fails, the traffic will be put on to the other internet link using HSRP. For the remote gateway to accept the traffic from the secondary gateway, the same crypto map on the remote gateway should point to both gateways. You will have to configure more than one peer on crypto map. Also the traffic has to be originated from remote side because on 7.x code having more than one peer on the crypto map, the tunnel would need to be initiated just from that specific peer.

netsec123 Thu, 08/16/2007 - 18:11
User Badges:


I think I got this licked on Wed.

Rough stuff.


urixadmin Thu, 03/20/2008 - 16:16
User Badges:

Hi Netsec,

Were you able to get this configured as desired? I ma in the proccess of trying to do a simlar thing. I have a VPN over ISP 1 on Firewall 1 to ISP 1 on Firewall 2, each at different site, I need the VPN to failover along with the Internet Link.

Thanks in advance...

netsec123 Thu, 03/20/2008 - 17:04
User Badges:

I'm sorry... we never got this to work effectively....


This Discussion