I have an 1811 router that is doing a site to site IPSEC VPN back to an ASA5510. The primary connection is through Fa0/0 which connects to a telco provided DSL modem. For backup the internal modem dials a local ISP and sets up a VPN to the same ASA5510. A GRE tunnel rides inside the VPN tunnel to support OSPF. The GRE tunnel is sourced from loopback1 on the 1811 and ends on a router behind the ASA. Dial backup is triggered by an IP SLA monitor that pings the ASA.
Failover to dialbackup works well. It takes about 30 seconds to get the backup connection up and routing traffic.
Failback to the primary connection works but as soon as the IP SLA monitor target reachability comes back "up", traffic stops flowing for nearly 2 minutes. The 1811 has 2 sets ofIPSEC SAs. One set for Fa0/0 and the other for Async0/1/0. I suspect that the ASA is confused about which tunnel to use to send packets back to the 1811. How do I remedy this?
I tried doing the command "crypto map mymap local-address Loopback1" but then none of the tunnels came up. I suspect it is because the Loopback1 address is a private address and the ASA doesn't know how to get there. I can do "crypto map mymap local-address Fa0/0" and the primary tunnel works but dial backup never gets a tunnel established.
I suspect that I'll either have to either NAT the 1811 Loopback1 address to the public interfaces (how do you do that to overload to two different interfaces?) or do something else.
How do I get this to work without a 2 minute outage during failback?