Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Datacenter Dynamic VPN Failover with ASA's

I have two datacenters connected via EIGRP dynamic routing. Branch offices terminating at the datacenters via lease lines.

I would like to backup the lease lines with ipsec vpn on either ASA's 5520 or higher or cisco 2800 routers. Using either EIGRP on the ASA's or static routing with higher Advertised distance, i would like to failover to the ipsec vpn tunnels automatically if any lease line is down. I am planning to have a pairs of ASA's between the datacenters and connect all branch offices to the ASA's via ipsec tunnel.

Has anyone done this before?

Will it be better to use cisco routers instead of ASA's with better through-put. does anyone have a design ?



Re: Datacenter Dynamic VPN Failover with ASA's

I have not done it on that large of scale, but I have setup sites to failover with VPN. There is a good book on designing such scenarios.

I prefer to use routers since they have more functionality, but setting up the ASA to do it wasn't that bad.

Re: Datacenter Dynamic VPN Failover with ASA's


I have a copy already. might have to go through it.

any more ideas?

Re: Datacenter Dynamic VPN Failover with ASA's

Great. It really isn't that hard :), I used EIGRP and floating static routes. Do you a specific question?

Re: Datacenter Dynamic VPN Failover with ASA's


No routing question at this stage.

Thanks anyway.

New Member

Re: Datacenter Dynamic VPN Failover with ASA's


WOuld you mind posting a copy of the working configuration. I have a situation where I have an ASA5505 in the main site and the Cisco2801 at the remote site. The primary connection between them is P2P T1, but I want to use VPN over DSL as backup. Having a problem bringing up the VPN tunnel when the T1 is down. Any help will be appreciated. TIA. H. WIlson

Re: Datacenter Dynamic VPN Failover with ASA's

Hello Franco,

ASAs can not terminate a GRE tunnel, which is essential for building this structure with dynamic routing protocols.

I had a couple of ASA 5540s in core in one of the projects that I leaded, 500 simultaneous RA connections from branches replicating SQL Databases from all over the country, throughput has never been an issue. But forget about Active/Active failovering Site to site IPsec VPN tunnels. It is not supported. You can do Active/Passive.

Do branches have 2 different routers for terminating lease line and an internet connection? What kind of switches involved?