ASA VPN Traffic move over the secondary back-up ISP

Unanswered Question
May 9th, 2010

Hello Experts,

We have two ISP links and second one is using for back-up purpose in case first link goes down then all internet traffic moves over the second link and while primary link come back functional then the traffic moves back as previously.

The STS Tunnel is configured and around 10 production sites are connected with first ISP link and when primary link works then only tunnel traffic can be move and remote sites are accessible but in-case the primary link goes down then the internet works fine as firewall replace the route of internet traffic. I have tried to configure the STS VPN  connection to test the VPN traffic to be moved on the backup link if primary ISP goes down but I am not being succeed. I am following the same STS Tunnel configuration as same configured for the primary ISP.

Can anyone suggest what settings are required so that the VPN traffic also works in case of failure of primary link.

Please Advice.


Vinay Gupta

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Sun, 05/09/2010 - 09:31


If you have on your site an ASA that terminates both ISP connections and establish two tunnels (one primary and one backup), then besides the regular L2L configuration you need the following:

Have the crypto map applied to both interfaces of the ASA.

If using static routes, can use IP SLA to monitor the status of the link and prefer one ISP connection over the other, and allow the fall-back to occur.

The details of the configuration depends if using two separate interfaces on the ASA for VPN tunnel termination or using just one (for both ISPs).

How do you have your topology?


ray_stone Mon, 05/10/2010 - 00:43


I am using two sepearte interfaces for both Internet links and i have already made crypto rules for the seconday backup internet link but still its not working once primary goes down.

On the other hand internet works fine in both case whether primary link goes fail or it comes back functional after going down that means the sla configuration which is configured into static route is working fine.


Vinay Gupta

Federico Coto F... Mon, 05/10/2010 - 07:01

So, the fallback of interfaces are working fine (IP SLA is working).

But the VPN is not getting established via the second interface?

Are you connecting VPN clients to the ASA or Site-to-Site?

Can you post the configuration?

Do you see the tunnel trying to establish on the second interface when the primary goes down?



This Discussion