Hi, here is my situation, we have two ISPs in HQ, ASA has outside IP from ISP1, we have a WAN load-balancer sitting in front of ASA, when ISP1 goes away, the WAN load-balancer will NAT ISP1 IP to ISP2 IP.
Now I want to implement site2site VPN redundancy for remote offices, I am not sure the following configuration on remote ASA would work:
crypto map mymap 1 match address traffic_to-HQ
crypto map mymap 1 set peer ISP1_IP
crypto map mymap 2 match address traafic_to_HQ
cryto map mymap 2 set peer ISP2_IP
<tuneel-group configuration, exactly the same as above>
ISP1_IP and ISP2_IP are essentially the same IP (HQ-ASA's outside IP) after WAN load-balancer's static NAT, I am wondering what is effect of the above configuration, would remote ASA establish two ISAKMP/IPsec SAs to HQ-ASA? or remote will establish only the first one? if the latter, is it because crypto map seq 1's "match address" ACL is the same as seq 1?