VPN Failover within the same ASA

Unanswered Question
May 22nd, 2009

Hi Everyone,

I'm working out a concept here and want to know if this can be done. On an ASA I would like to have 2 different interfaces connect to 2 different ISP's - one primary, one backup. As well I will be running VPN tunnels across the links.

What I want to know is if I have a tunnel established over ISP A to our remote site, and it fails, is there a way to have the state information and tunnel moved over to ISP B, on the same ASA device?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mvsheik123 Fri, 05/22/2009 - 09:26


You need to go with tracking the primary ISP config.. someone posted the attached longtime back and I saved it..(so if this is helpful..say thanks to them..;-))

Also, I don't think 'state' information will moved over withouttearing down the existing connections..



bwgray Fri, 05/22/2009 - 09:36

Thanks MS,

Unfortunately I have the need of being able to send the state information over to the other port as well - if possible.

I know there is "juni***" gear that can do this, but I'm not sure if the ASA's can or cannont - currently we're running ASA's.

My goal is to not only have a backup link for the sites, but aslo the VPN tunnel moved over automatically as well - as the reestablishment of these sessions cause great issues with the customers...


bwgray Sat, 05/23/2009 - 11:08

Hi Paul,

That is correct. The client needs to tunnel through a different ISP which would mean that there is a different ISP in use. I'm not sure if it's possible, but thought I would see if anyone has come across this before...


This Discussion