Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

redundant vpn tunnels?

So I may have done something wrong or I just dont understand this.

We have an ASA 5520 at our Datacenter which has one link to the internet. We all so have remote offices with 2 ISP's one primary and one backup each with diff IP address. I setup vpn tunnels between the them (asa 5505/5510 in the remotes).

What I want to do is having a backup tunnel dial out if the outside interface fails. I use IP SLA to track the t1 and if it goes down fail over to DSL. This works, but I tried every way I can think of to move the tunnel and it just plane fails.

I called TAC and they said try using the set connection-type command, use originate-only at the datacenter and answer-only on the remote site. The tunnel does come if we are using the outside interface but if we fail over the ASA in the remote office the DC keep trying only one IP (the outside int of remote office). I cant for the life of me figure this out. TAC gave up and closed the call.

Anyone know why?

We have 5520 at the DC running 7.0.5, remotes are all 7.22.

any help would be great


  • Other Security Subjects

Re: redundant vpn tunnels?

Could you post a config please?

You must run isakmp keepalive for this as well.