Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

VPN failover using 2 ISP internet lines

Hi, Can anyone tell me how to setup automatic VPN failover using 2 seperate ISP circuits. Eg, Our Local office has 2 different internet lines conneced to an ASA5510. we VPN from this office to all other remote locations. All traffic originates here.

Circuit 1 is primary (default Gateway). I use SLA montoring/Route Tracking to monitor remote office public IP's on ASA. When circuit 1 fails, the default route then goes out Circuit 2 and sets up a new tunnel. All this works as expected.

The problem is that the crypto maps on the remote ASA will still try to route all traffic destined the local office back to Circuit 1 IP as it is listed first on the interface crypto map.

what i then see on the remote ASA is 2 tunnels up to both circuit 1 and 2.

I cannot add an additional tunnel peer on the remote end as traffic does not originate there. any ideas?


Re: VPN failover using 2 ISP internet lines

Hi,  not sure if you found resolution to your problem if so let us know how u solved it , if not perhaps try enabling DPD (dead peer detection) at both ends,  DPD should sense primary tunnel  down and  automatically initiate the secondary tunnel per  fallback second peer configured  and route through backup link .  just a thought… may want to try it see if that helps.


CreatePlease to create content