ASA 5510 (2 outside interfaces for ISP & VPN Failover) Is it possible

Unanswered Question
Jan 11th, 2008
User Badges:


I have 2 ASA 5510's in A/P failover using the Management port.

I have failover setup for ISP failover

Int 0/0 (Outside) Primary

Int 0/1 (Inside)

Int 0/2 (Backup_DSL) Backup

Fail over is working perfectly in Int 0/0 goes down Int 0/2 comes up and I can access the internet but for some reason I am unable to bring up a VPN on Int 0/2 is it disabled by design on the 5510 (IOS 7.2)?

Tested for 4 hours with all possible options and can conclude there is some block on the interface stopping VPN's coming up.

Can anyone confirm???

Thanks, Joe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smitty6504 Fri, 01/11/2008 - 12:51
User Badges:

Do you have a secondary address setup in you VPN endpoints that tell it to use Int0/2 as a backup VPN connection and do you have the firewall open for the vpn ports?

joe90kane Fri, 01/11/2008 - 14:24
User Badges:

Yes we are using 1841's for each site - we can see the VPN's dropping and trying to come up on the backup interface - but on the ASA ((NOTHING)) no messages & no phase 1.

If I put my backup in Int 0/0 and change IP addresses the VPN's come up perfect - which leads me to beleve its the actual physical int 0/2 but I could be wrong here??? Any ideas

smitty6504 Fri, 01/11/2008 - 17:58
User Badges:

I would start by posting your config. It sounds like the firewall is not permitting the connection but you should be able to see that in the debugging log. Can you ping the backup interface when it's in Int0/2 from the 1841's? To me it doesn't sound like a interface issue it sounds like a firewall or ACL issue. Make sure you have the following ports/protocols open or your ACL is written like this:

access-list 100 permit udp any host x.x.x.x eq isakmp

access-list 100 permit udp any host x.x.x.x eq non500-isakmp

access-list 100 permit esp any host x.x.x.x

access-list 100 permit ahp any host x.x.x.x

access-list 100 permit gre any host x.x.x.x

x.x.x.x is going to be your Int0/2 outside IP.


This Discussion