Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Private Link to VPN Failover

Hello, looking for some direction on a network deployment. We have approx 15 sites, two being hub sites and the rest remote sites. All sites have primary and backup internet connections, as well as a private Ethernet over fiber link. Hardware will be all ASAs, 5515s, 5512s, 5505s.

The primary inter-site communication will be the private link, probably using OSPF of EIGRP (recommendations here welcome).

I am ok with all of the above, but have some questions on utilizing the internet connections to support failover to VPN for the private link.


1. Assuming the private links and routing are all configured, how would I add VPN failover?

a. VPN should failover to the two hub locations if the private link is down. I assume a single tunnel with a primary and secondary peer address for each hub, since it wouldn't need to connect to both hubs at the same time?

b. VPN should provide spoke-hub-spoke communication so that the failed site could still connect to all other sites through the VPN.

c. Not sure of the combination of dynamic routing/static routes/SLA tracking necessary to support this config.



2. VPN should support either primary or backup internet connection.

a. It appears that ASDM is not able to apply a single crypto map to multiple interfaces (to support same vpn tunnel on both primary and backup), it only allows one. With CLI you can create a single crypto map and apply to multiple interfaces. Am I missing how to configure this via ASDM, or is CLI the only way?


3. Does VPN follow most specific route the same way normal traffic routing does?

a. If I configure a 'blanket' VPN to tunnel all 'internal' traffic to a hub site (i.e. 10.50.x.x/16), but have one dedicated VPN to a datacenter location (10.50.50.x/24), will it behave as planned and all 10.50.x.x traffic (,, etc) will go to the hub except traffic to 10.50.50.x will go to the data center?




  • VPN
Everyone's tags (1)
New Member

Nobody has any thoughts or an

Nobody has any thoughts or an example working config for this?

So far I have the private link working with EIGRP, then added a tracked static route for the VPN networks pointing to ISP gateway with a high metric. In theory the lower metric EIGRP routes take preference and traffic is routed over the private link until it is down, routes removed, and the backup default route to ISP takes over and establishes VPN. This mostly works. When I manually fail the private link the VPN starts up and connects, and everything works. The issue is that the VPN isn't torn down when the private link comes back up and EIGRP routes are available again. The VPN stays up, and all traffic stops. If i manually tear down the VPN traffic flows again, then for some reason 5-10 minutes later the VPN re-establishes and breaks traffic again. I have to keep the VPN disabled to prevent it from starting up on it's own.

Any thoughts on how to keep the failover VPN down until needed, and to make sure it tears down the VPN immediately when the private link and EIGRP routes are back online?