Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Backup IPSEC connection multiple remote Internet egress sites won't allow multiple any encryption domains

Hi Folks,

I have currently setup an ASA at a remote site in the middle of the USA which tunnels all traffic back to our West coast HQ to use its Internet connection.  It works great.  However, I also want to have another tunnel to our East Coast HQ to use its Internet connection should a failure occur on the West Coast.  I'm bascially using the "any" remote network as a default route to the Internet via the IPSEC VPN tunnel.

The ASA gives me a warning in ASDM if I have multiple connections setup that over lap.  I.E.  I have Local Network:  Remote Network: any.  I cannot repeat this for a different connection profile as a backup.

Is there anyway the ASA can support having multiple "any" tunnels to primary and backup sites?

New Member

Gave up and called TAC. Its

Gave up and called TAC.


Its easy to setup backup peer's for IPSEC tunnels, first off, can't use IKEv2 (boo) had to go back to IKEv1, have to use keep alives.


Never could get the recommended "originate only" on the remote sites working correctly, but at "bidirectrional" worked fine, doesn't matter because I'm using a dynamic IP at the remote sites, the head ends will never initiate the VPNs (I don't have the "static IP" box checked).


Anyway, in ASDM go to Site to Site VPN section, then Advanced, create a tunnel group for each peer primary and backup.  then in the Crypto Maps section select the static entry you are working with, in the Peer settings below put the new backup peer and click add.  

Best practice is to have the remote sites use originate only and headends be answer only so the headends don't initiate the tunnels and cause a "loop"

Now to mess around with the EIGRP routing to finish this all off.  If anyone has hints let me know, my devices don't support IP SLA or else I would have been done with this already :(

New Member

to test, just booting off the

to test, just booting off the tunnel isn't enough, the phycial interface has to actually go down, or I found you can just uncheck the "Enable IKEv1" on the Connection Profiles list and apply THEN go and LOGOUT the connected VPN, it will failover to the other peer.


Works great.