ASA Multiple VPN tunnels

Scott Hanson · ‎04-11-2014

Hello,

On the ASA 5505 is it possible to have 2 different VPN tunnels that use 2 different ISPs to terminate back to the same location? Scene. Cisco Unified Communications Manager at a central data center. Several remote sites. The phones register to the Communications Manager at the central site. If there is only a single tunnel up and that connection goes down for whatever reason the phones have to go through a re-registration process. It takes less than a minute but it is still on inconvenience. I was thinking that if there was a way to have 2 VPN tunnels up and going back to the data center I might be able to avoid the re-registration process. I might lose in-progress calls but that's better than nothing. End Scene.

Thanks in advance. All replies rated.

Marvin Rhoads · ‎04-12-2014

You can failover to a second interface and ISP but you cannot simultaneously have two active interfaces, both with equal cost default routes, on an ASA.

To do the failover, you could bind your certificate/ssl-trustpoint to both outside interfaces isp1 and isp2. You would have to have some route tracking using ip sla to flip your default route from the primary isp to the backup in the event of a failure and some way of changing your DNS automatically to use the new outside interface IP instead of the old one.

To do what you're describing well, you would instead use a router with connections to your ISPs. You would have either Provider-Independent address or the secondary ISP would agree to route the address assigned by the primary ISP. In either case, it would have to be a routable /24 (or larger). The ASA sits behind the router and only has its single public IP address and interface. No mater which path the phones come in via, they get to that same ASA address.