Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

IP SLA Failover for internal traffic out site-to-site VPN


I am in the process of researching a way to configure a router for fail over when the internal EIGRP link is down to then route to the firewall out a site-to-site VPN connection via the internet back to our core. I've been focusing on IP SLAs and reading on those, however I'm unclear if this is the best or easiest method. Is a weighted route just as effective?

I've been reading here:


Drawing reflects topology. If link from RTR1 fails into EIGRP cloud, I'm looking for fail over to FW1 out site to site VPN to Core Firewall.






VIP Super Bronze

Hi,Are you using static


Are you using static routes for your site-to-site VPN?

If yes, you can assign a higher AD then EIGRP (90) to it and that should become your backup connection.


New Member

I'm not certain, can you help

I'm not certain, can you help identify from the below config?


ASA Version 8.2(5)

interface Ethernet0/0

 switchport access vlan 2
 speed 100
 duplex full
interface Ethernet0/1
 description Inside
 speed 100
 duplex full
interface Ethernet0/2
 description Guest
 switchport access vlan 4
 speed 100
 duplex full
interface Ethernet0/3
 speed 100
 duplex full
interface Ethernet0/4
 speed 100
 duplex full
interface Ethernet0/5
 speed 100
 duplex full
interface Ethernet0/6
 speed 100
 duplex full
interface Ethernet0/7
 speed 100
 duplex full
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 description Outside
 nameif outside
 security-level 0
 ip address
interface Vlan4
 no forward interface Vlan1
 nameif Guest
 security-level 50
 ip address
ftp mode passive

dns server-group DefaultDNS
object-group network DM_INLINE_NETWORK_1
object-group network
access-list xxxx standard permit
access-list outside_access_in extended permit icmp any any
access-list outside_1_cryptomap extended permit ip object-group yyyy object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip object-group yyyy object-group DM_INLINE_NETWORK_1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
nat (Guest) 1
access-group outside_access_in in interface outside
route outside 1
route inside 1
route inside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *****
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end

CreatePlease to create content