Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Redundant Tunnels

I was wondering if anyone knew if it was possible to apply the same crypto map (or an identical crypto map at least) to two interfaces on the same ASA?

I have two ethernet circuits being handed off by two ISPs at the Core of a hub and spoke IPVPN network, with different circuit addressing, and would like to use one of these circuits as a backup endpoint for the VPN tunnels.

I know it is fairly easy to specify a backup peer in the PIX firewalls at the remote locations, but am uncertain as to how the ASA will decide which crypto map to use if it has two maps that matched the traffic it sees. Are the priority levels in a cyrpto map locally significant or global?


Re: Redundant Tunnels

mmm ... in fact you can just add another VPN server on the configuration on the spoke .. specially if you are using VPN client for setting up the tunnel.

Now from the ASA I don't think you can have that functionality while the same interesting traffic is applied to 2 crypto maps which in turn are enabled in two separate interfaces. What you can do is to replicate the same crypto configuration using a different cryto map name and leave it saved on the config WITHOUT binding it to the second interface.

When link to ISP 1 goes down then you can remove the crypto map from the failed interface and applied the second crypto map to the interface connected to ISP 2. I know this is not automatic as you would like but perhaps is your only option.

I hope it helps .... please rate it if does !!!