Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN "failover" with one ASA

We have a site to site VPN, with split tunneling, between a branch office and headquarter. The VPN is used to extend Active Directory (AD) infrastructure to the branch office. The split tunneling ensures that only AD and DNS traffic from the branch office goes through the VPN. All other traffic, such as web, do not go through the VPN. The DHCP pool on the branch office router is configured as follows:

ip dhcp pool client

dns-server AD_DNS1, AD_DNS2, ISP_DNS1, ISP_DNS2

When the VPN is up, client computers at the branch office would use the Active Directory DNS servers. When the VPN goes down, client computers would use ISP's DNS. From the users' point of view, everything is fine. This all happens automatically.

Let's say we do not want to use the split tunneling anymore. Is there a way to configure the branch office router such that all traffic would flow through the VPN when the VPN is up, and all traffic would go through ISP when VPN is down?


Re: VPN "failover" with one ASA

I think you want to configure your ISP link as back up link and VPN as the primary one. The below URL explains with an example of static route tracking allows the security appliance to use an inexpensive connection to a secondary Internet service provider (ISP) in the event that the primary leased line becomes unavailable.

In order to achieve this redundancy, the security appliance associates a static route with a monitoring target that you define. The service level agreement (SLA) operation monitors the target with periodic Internet Control Message Protocol (ICMP) echo requests. If an echo reply is not received, the object is considered down, and the associated route is removed from the routing table. A previously configured backup route is used in place of the route that is removed. While the backup route is in use, the SLA monitor operation continues to try to reach the monitoring target. Once the target is available again, the first route is replaced in the routing table, and the backup route is removed.