Automatic IPSEC Tunnel Failover

Unanswered Question
Apr 6th, 2010


We are thinking on how we can make our IPSEC tunnels failover automatically. We have a simple design where the IPSEC endpoint is terminated on a PIX/ASA firewall then the other end is our client. We want to have a mechanism that whenever our client peer goes down, the traffic will be rerouted to one of our centers which has the backup tunnel configuration. Usually we use static routes to force the traffic to be routed to the other center but we want to do it automatically. Do you have any idea how? Thanks.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Paolo Bevilacqua Tue, 04/06/2010 - 00:45

What's the point? If "client goes down", that means they lost internet connectivity, and there is no solution unless another internet circuit is available.

Jennifer Halim Tue, 04/06/2010 - 00:55

I assume what you mean is if the vpn client is unable to reach the primary IPSec peer, which is PIX/ASA at the main site, you would like the vpn client to automatically try to connect to your other centre (assuming that VPN Client IPSec has been configured at your other centre).

If the above assumption is correct, on the vpn client, you can enable the backup server list, and you can add the other centre as the peer. However, you would need to make sure that the group name and pre-shared key is the same as the main site.

Hope that helps.

John Patrick Lopez Tue, 04/06/2010 - 01:19

Oh thanks for the reply but I think I didn't make myself clear.

Our setup is that we access our clients' servers using point-to-point IPSEC tunnel. There are times that the ISP loses connectivity to the client's network for unknown reason. It could be a link failure or too much congestion. If that happens, our ASA/PIX firewall will lose connectivity to its peer. So what we do in our core switches is to point the traffic to another center/office using our internal links where the backup IPSEC tunnel configuration is configured. The backup ISP is a different provider so there is a chance that the peer can be accessible from the other one. The backup tunnel is also being used whenver our primary internet is down.

Jennifer Halim Tue, 04/06/2010 - 01:29

You can configure 2 "set peer" statements on the same crypto map to that client, and it will connect to the first peer on the list, and if the first peer is not accessible, it will automatically try to connect to the second peer configured.


crypto map mymap 10 match address

crypto map mymap 10 set peer

crypto map mymap 10 transform-set

Also need to remember to configure pre-shared-key for the second peer.

John Patrick Lopez Tue, 04/06/2010 - 02:15

Yes that is correct if I need to configure one ASA/PIX with two different peers. But the other center where the backup internet is located also has a PIX/ASA pointing to the same peer.

So technically, we are the one redundant, not the client. We just connect to one end-point and they can connect to us through 2 end-points on different ISPs.

Paolo Bevilacqua Tue, 04/06/2010 - 02:18

Would be better to have the ISP to fix the unacceptable loss of connectivity toward the internet ?


This Discussion