Datacenter Dynamic VPN Failover with ASA's

Unanswered Question
Jun 24th, 2008
User Badges:
  • Gold, 750 points or more

I have two datacenters connected via EIGRP dynamic routing. Branch offices terminating at the datacenters via lease lines.

I would like to backup the lease lines with ipsec vpn on either ASA's 5520 or higher or cisco 2800 routers. Using either EIGRP on the ASA's or static routing with higher Advertised distance, i would like to failover to the ipsec vpn tunnels automatically if any lease line is down. I am planning to have a pairs of ASA's between the datacenters and connect all branch offices to the ASA's via ipsec tunnel.

Has anyone done this before?

Will it be better to use cisco routers instead of ASA's with better through-put. does anyone have a design ?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Tue, 06/24/2008 - 05:11
User Badges:
  • Purple, 4500 points or more

I have not done it on that large of scale, but I have setup sites to failover with VPN. There is a good book on designing such scenarios.

I prefer to use routers since they have more functionality, but setting up the ASA to do it wasn't that bad.

francisco_1 Tue, 06/24/2008 - 05:24
User Badges:
  • Gold, 750 points or more


I have a copy already. might have to go through it.

any more ideas?

Collin Clark Tue, 06/24/2008 - 05:26
User Badges:
  • Purple, 4500 points or more

Great. It really isn't that hard :), I used EIGRP and floating static routes. Do you a specific question?

francisco_1 Wed, 06/25/2008 - 00:58
User Badges:
  • Gold, 750 points or more


No routing question at this stage.

Thanks anyway.

HYE WILSON Wed, 07/23/2008 - 16:49
User Badges:


WOuld you mind posting a copy of the working configuration. I have a situation where I have an ASA5505 in the main site and the Cisco2801 at the remote site. The primary connection between them is P2P T1, but I want to use VPN over DSL as backup. Having a problem bringing up the VPN tunnel when the T1 is down. Any help will be appreciated. TIA. H. WIlson

husycisco Wed, 07/23/2008 - 17:44
User Badges:
  • Gold, 750 points or more

Hello Franco,

ASAs can not terminate a GRE tunnel, which is essential for building this structure with dynamic routing protocols.

I had a couple of ASA 5540s in core in one of the projects that I leaded, 500 simultaneous RA connections from branches replicating SQL Databases from all over the country, throughput has never been an issue. But forget about Active/Active failovering Site to site IPsec VPN tunnels. It is not supported. You can do Active/Passive.

Do branches have 2 different routers for terminating lease line and an internet connection? What kind of switches involved?



This Discussion