VPN failover using 2 ISP internet lines

Unanswered Question
Nov 8th, 2009

Hi, Can anyone tell me how to setup automatic VPN failover using 2 seperate ISP circuits. Eg, Our Local office has 2 different internet lines conneced to an ASA5510. we VPN from this office to all other remote locations. All traffic originates here.

Circuit 1 is primary (default Gateway). I use SLA montoring/Route Tracking to monitor remote office public IP's on ASA. When circuit 1 fails, the default route then goes out Circuit 2 and sets up a new tunnel. All this works as expected.

The problem is that the crypto maps on the remote ASA will still try to route all traffic destined the local office back to Circuit 1 IP as it is listed first on the interface crypto map.

what i then see on the remote ASA is 2 tunnels up to both circuit 1 and 2.

I cannot add an additional tunnel peer on the remote end as traffic does not originate there. any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Fri, 11/20/2009 - 13:05

Hi,  not sure if you found resolution to your problem if so let us know how u solved it , if not perhaps try enabling DPD (dead peer detection) at both ends,  DPD should sense primary tunnel  down and  automatically initiate the secondary tunnel per  fallback second peer configured  and route through backup link .  just a thought… may want to try it see if that helps.



This Discussion