VPN failover

Unanswered Question
Mar 9th, 2010

Is it possible to have two VPN endpoints configured in two seperate sites.  One as a primary and one as a DR site.  All VPN peers should connect to the primary site, however if it is unavailble the connect to the DR VPN endpoint?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Tue, 03/09/2010 - 12:22


It is possible to have two VPN endpoints in two different sites as long as both sites can reach the same internal network and resources.

For example, if you have Site A and Site B, most likely both sites don't share the same internal network. This is a problem if connecting via VPN to the first site and fails to the second site. (This problem does not happen if both VPN endpoints are on the same location).

It is not impossible to have the failover for the two VPN endpoints on different sites, but you have to be very cautios with the routing (it all depends on the topology).

Let me know if you have any questions.


networker99 Tue, 03/09/2010 - 12:45

Thanks for your reply.. both endpoints do share the same internal LAN.. How would you configure this on an ASA?

Federico Coto F... Tue, 03/09/2010 - 13:09

It depends if the configuration is for Site-to-Site VPN or Remote Access...

Either way, the client or peer needs to point to both IPs of the VPN headend (one having priority), and both VPN headend devices should share the same crypto configuration.

Let me know the details so that I can help you further.


Federico Coto F... Tue, 03/09/2010 - 13:26

For example if yo u have a L2L, then under the crypto map you specify on the peer:

cry map NAME 60 set peer

Assuming the first VPN headend is and the second is

If it's a VPN client, then the VPN software under the backup servers command, you can enable the backup IPs in order of priority.



This Discussion