Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Failover between two ASA5510 when using EzVPN nem


Our Data Centre has two connection into it and we have an ASA5510 on each connection with an 1800 router between them and the servers. We have around 15 EzVPN (nem) connections that terminate on one of the ASA's that our remote sites use to access the Citrix servers.

N.B We had to use EzVPN for the VPN's because (for reasons unknown) regular L2L VPN's didn't perform well enough and the EzVPN's do.

I would like to use the 2nd ASA as a failover connection to the datacentre if the primary ASA or its circuit fails.

I have put the backup ASA into the EzVPN config (as a backup peer) on the remote site routers and the EzVPN connections failover OK when the primary ASA is taken down: The SA's build fine. However traffic does not travel over the backup VPN. I fear this is a routing issue as packets are going to data centre but they are not comming back.

We are not using any routing protocols at present, only Static routes. I have put a backup static route on the 1800 router with a higher Metric to try and push taffic down the backup ASA when the primary ASA is down but the route does not get added to routing table.

Do I have to use a Routing protocol?

Can Routing protocols be used with EzVPN?

Do I need to use GRE Tunnels?

Any advise would be helpful.



Cisco Employee

Re: Failover between two ASA5510 when using EzVPN nem

If I understand correctly, the ASA's are in front of the 1800's, that have the servers behind them. There are other ezvpn clients that connect to the ASA's.

You would have to use some sort of dynamic routing protocol, with reverse-route injection, and then redistribute the statics from the ASA to the dynamic routing protocol you are running.

CreatePlease login to create content