Failover between two ASA5510 when using EzVPN nem

Unanswered Question
Feb 24th, 2009
User Badges:


Our Data Centre has two connection into it and we have an ASA5510 on each connection with an 1800 router between them and the servers. We have around 15 EzVPN (nem) connections that terminate on one of the ASA's that our remote sites use to access the Citrix servers.

N.B We had to use EzVPN for the VPN's because (for reasons unknown) regular L2L VPN's didn't perform well enough and the EzVPN's do.

I would like to use the 2nd ASA as a failover connection to the datacentre if the primary ASA or its circuit fails.

I have put the backup ASA into the EzVPN config (as a backup peer) on the remote site routers and the EzVPN connections failover OK when the primary ASA is taken down: The SA's build fine. However traffic does not travel over the backup VPN. I fear this is a routing issue as packets are going to data centre but they are not comming back.

We are not using any routing protocols at present, only Static routes. I have put a backup static route on the 1800 router with a higher Metric to try and push taffic down the backup ASA when the primary ASA is down but the route does not get added to routing table.

Do I have to use a Routing protocol?

Can Routing protocols be used with EzVPN?

Do I need to use GRE Tunnels?

Any advise would be helpful.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
auraza Fri, 02/27/2009 - 10:15
User Badges:
  • Cisco Employee,

If I understand correctly, the ASA's are in front of the 1800's, that have the servers behind them. There are other ezvpn clients that connect to the ASA's.

You would have to use some sort of dynamic routing protocol, with reverse-route injection, and then redistribute the statics from the ASA to the dynamic routing protocol you are running.


This Discussion