VPN Failover

Unanswered Question
Apr 2nd, 2008

This is a controversial one:

We are trying to make a failover decision between two locations... Each site has a 2811 router AND a DSL backup to the Internet. Each site has an ASA connected to the 2811 to establish a VPN tunnel. The question centers on failover. Do we put the DSL line into a 2nd port on the ASA [5505] at each location and try to use the track command to failover to the DSL? Or get a 2nd ASA for each site? Of course this gets involved when we bring up EIGRP with the internal network. Can the ASA track and interface and when it goes down, use the secondary interface to re-establish the VPN tunnel at the far end? This then begs the question, what if it's the OTHER SIDE of the tunnel that dies but the line itself is not down... How do we make use of a 2nd tunnel if a 2nd tunnel out the failover interface is even possible... Whew!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ivillegas Tue, 04/08/2008 - 12:55

DSL connection can be established from the existing ASA independently. There is no question of failover here meaning if you have a secondary or Failover ASA each can connect independently to DSL .

netsec123 Tue, 04/08/2008 - 18:38


But, if the Internet goes down will the ASA re-establish a brand new VPN tunnel using it's secondary interface? My other concern is that if something happens with JUST the tunnel, and not the Internet, can the ASA STILL keep going to the Internet out the primary link and yet STILL use the secondary link to establish a new tunnel? Controlling all these variables can get tricky I guess....



This Discussion