Hi. We are using an ASA [failover pair] and tracking an interface so that we have Internet failover out a 2nd interface to another ISP. When the failover happens, we'd like the vpn tunnels to renegotiate using the backup internet interface to the 2nd ISP. IS this possible? THANKS!
I think you will have to do a NAT at some internet router in front of ASA when the traffic switched from primary to secondary (or when the primary fails), and remote ASA will have to point to two peer internet router. If one of the internet link fails, the traffic will be put on to the other internet link using HSRP. For the remote gateway to accept the traffic from the secondary gateway, the same crypto map on the remote gateway should point to both gateways. You will have to configure more than one peer on crypto map. Also the traffic has to be originated from remote side because on 7.x code having more than one peer on the crypto map, the tunnel would need to be initiated just from that specific peer.
Were you able to get this configured as desired? I ma in the proccess of trying to do a simlar thing. I have a VPN over ISP 1 on Firewall 1 to ISP 1 on Firewall 2, each at different site, I need the VPN to failover along with the Internet Link.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...