I would like to ask you some question that now i'm not clear about VPN do Primary and backup connection, How can we do on this is sue? ( i mean that when the primary down, then connection backup is up automatically)
Could you advice me how can i do it?
i liked JORGE sugesstions
but i think with idea i have given avove to configure one map with two tunnel groups with two seuence numbe better in one way
that active/standby in addition to the required license u gonna make a whole firewall passive waiting the active to fail to handll the traffic
whil in my oinoin if u follow the i have given to
u can u se the both firewall on the other site while u have them as primary and backup for ur site for VPN
in other words it like two in one
u have two active firewall on that site
aslo u have abckup vpn device for VPN tunnels
again JORGE sugestion great and professional
and Please, if helpful Rate
I guess we should have asked a little more information, it seems Marwan and I responded almost at the same time and Im sure he'll provide great info.
I had geared more towards a fault tolerance scenario from a failed firewall or a failed ISP connection in a DUAL Fw and DUAL ISP architecture.
Assuming you want to have redundant firewall disign, it is where you look into Active/Standby firewalls to provide firewall redundancy, but when it comes to continuous connections with VPNs when one firewall fails is where stateful feature comes in place.
Im providing few links belloe for reference to get an idea of active and standby fws but ASA5505 is the only model that is stateless, it is not stateful which means connections will need to re-stablish when one firewall fails.
Also in order to implement dual firewalls for failover implementation you will need Security plus license to enable active and standby feature. This license will also include the activation of DMZ support and be able to creating up to 20 vlans, as well as have Dual ISP support.
Example of active/standby
ASA comparison - Look into Ipsec plus license and features.
On the other hand you may in future have a backup ISP link, not only you have Active/Standby failover but you may want to also have a backup ISP link should primary link fails using SLA and Staic route tracking.