VPN Failover within the same ASA

Unanswered Question
May 22nd, 2009

Hi Everyone,

I'm working out a concept here and want to know if this can be done. On an ASA I would like to have 2 different interfaces connect to 2 different ISP's - one primary, one backup. As well I will be running VPN tunnels across the links.

What I want to know is if I have a tunnel established over ISP A to our remote site, and it fails, is there a way to have the state information and tunnel moved over to ISP B, on the same ASA device?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

I don't think you will be able to transition a VPN from one IP address on one interface to another IP address on another interface in the event of a failure. The best thing you could do from a redundancy standpoint would be to have an address range that is advertised via BGP to both ISP's. In the event of a connectivity failure, the address would not change (only the route).

To further increase redundancy, use two ASA's capable of A/S failover. This will keep state information between the two devices, but that's not exactly what you are asking for.


This Discussion