I wonder if anyone can help.
Our remote sites typically have an IPSEC VPN connection terminating on our head office ASA.
At one of the more critical remote sites, we are trying to implement some resilience for them to protect against a circuit failure. So, they have 2 Cisco 1841 routers, one connected to an ADSL line (secondary), one connected to a fixed rate 10Mbps circuit (primary).
I have configured the routers as an HSRP pair (and am running EIGRP between them) so that if the primary router or 10Mbps circuit fails, the secondary router takes over and traffic will flow from their LAN to the secondary router and then use the ADSL line to build the IPSEC tunnel to head office.
On the head office ASA, I have simply configured the 2 corresponding remote peers.
Now, I think as far as the remote site is concerned, it's working as expected.
However, earlier in the week we noticed that the site was complaining that things were running slow. When I checked it out, it seemed that the ASA had actually built a tunnel to the secondary router at the remote site so the ADSL line was being used rather than the 10Mbps circuit. There hadn't been any problems with the primary router or circuit and, indeed, the primary router was still active in the HSRP pair at the remote site.
Is there any way I can configure the dead peer detection on the ASA to favour one peer over the other to prevent this happening? (I have the primary peer listed first)
For the time being, I've simply removed the secondary peer from the ASA altogether so it will only establish an IPSEC tunnel with the primarty remote router but, this obviously. means my automatic resilience plans for the remote site have been thwarted too!
Can anyone advise on how to set this up as desired? i.e. so that the primary circuit will be used at all times unless there is a failure of the remote site's primary router or circuit (and then I want to automatically go BACK to the primary comms again once that problem has been fixed)
NOTE: unfortunately, as is all too often the case with these things, this has been implemented on a production network and my opportunities to test are limited.
Thanks for any advice/suggestions you can give.