VPN Failover within the same ASA

Unanswered Question
May 22nd, 2009

Hi Everyone,

I'm working out a concept here and want to know if this can be done. On an ASA I would like to have 2 different interfaces connect to 2 different ISP's - one primary, one backup. As well I will be running VPN tunnels across the links.

What I want to know is if I have a tunnel established over ISP A to our remote site, and it fails, is there a way to have the state information and tunnel moved over to ISP B, on the same ASA device?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Sun, 05/24/2009 - 05:48

First of all ASA does not support multiple default routes (out different interfaces), so you can't do an active-active ISP setup. It also does not support PBR.

AFAIK, you cannot achieve stateful VPN failover in this manner. You could set 'two' crypto map peer statements on the other side, but this will not give you stateful failover.

Cisco recommends IOS routers for L2L setups, as they are more feature rich in this regard.




This Discussion