VPN Failover within the same ASA

Unanswered Question
May 22nd, 2009
User Badges:

Hi Everyone,

I'm working out a concept here and want to know if this can be done. On an ASA I would like to have 2 different interfaces connect to 2 different ISP's - one primary, one backup. As well I will be running VPN tunnels across the links.

What I want to know is if I have a tunnel established over ISP A to our remote site, and it fails, is there a way to have the state information and tunnel moved over to ISP B, on the same ASA device?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Sun, 05/24/2009 - 05:48
User Badges:
  • Red, 2250 points or more

First of all ASA does not support multiple default routes (out different interfaces), so you can't do an active-active ISP setup. It also does not support PBR.

AFAIK, you cannot achieve stateful VPN failover in this manner. You could set 'two' crypto map peer statements on the other side, but this will not give you stateful failover.

Cisco recommends IOS routers for L2L setups, as they are more feature rich in this regard.




This Discussion