Cisco Support Community
Community Member

Backup peer IP configuration on site-to-site VPN between ASA & SonicWall

Is it possible to specify a backup peer IP address on a Cisco ASA v8.4 when connection to a SonicWall firewall via a site-to-site VPN? 

The "crypto map set connection-type" seems to be specific to VPNs between Cisco devices.

Does anyone have peer failover working between an ASA and SonicWall firewall and would be willing to share how this was done?



Super Bronze

Backup peer IP configuration on site-to-site VPN between ASA & S


To my understanding when you configure a L2L VPN Connection on an ASA and you want to set 2 different Peer IP addresses for the same L2L VPN connection then you simply configure the Crypto Map with several IP address

crypto map set peer

Or something like this.

I have only tested a setup where I had a ASA5520 with Dual ISP and a remote ASA5505 that had L2L VPN connection to the ASA5520 and 2 peer IP addresses defined for the single L2L VPN connection with the above mentioned command.

It seemed to work just fine but naturally was just a lab test setup.

- Jouni

Community Member

I have confirmed that setting

I have confirmed that setting multiple peers on the crypto map worked between Cisco ASA to Sonicwall. Make sure you configure the tunnel-group for the backup IP address with the same attributes. I would also leave the connection-type to default (bi-directional) since it worked fine for me.

Re:Backup peer IP configuration on site-to-site VPN between ASA

Jouni is correct. You simply specify multiple peers in the crypto map policy. It will attempt them in the configured order. Don't forget to create the tunnel-group for the subsequent peers.


Sent from Cisco Technical Support Android App

Community Member

Backup peer IP configuration on site-to-site VPN between ASA & S

This doesn't seem to work when the site-to-site VPN is between a Cisco and a non-Cisco device.  Does anyone have failover working with a Cisco peer on one side of the connection and a non-Cisco device (Sonicwall in my case) on the other?



Backup peer IP configuration on site-to-site VPN between ASA & S

I want to clarify your topology. You hava a Cisco ASA and a Sonicwall. You have two ISP connections on each firewall for redundancy. You want to configure the ASA to use both the Sonicwall IP's in case one of the Sonicwall ISP connections goes down and vice versa.

The configuration on the ASA is completely independent of the remote device. You just need to configure the crypto map entry with both peer IP's of the Sonicwall, such as:

     crypto map VPNMAP 10 set peer

You also need to make sure you have a tunnel group for each of the peer IP addresses with the same PSK. I have this configuration working just fine on several ASA devices without knowing the remote device, and a few others with various flavors of firewalls.

IIRC the Sonicwall also allows you to configure a secondary peer gateway IP for the IPSec configuration.

I also want to state that the ASA and Sonicwall will both attempt their primary peer IP addresses first, and if those fail, then they will fall back to the backup peer. There needs to be end-to-end connectivity and proper routing at each end for this to work.

If this is still not working, please provide VPN debugs from the ASA:

logging buffer-size 999999

logging buffered debugging

debug crypto isa 200

debug crypto ips 200

clear logging buffer

then try to bring up/failover the tunnel.



Community Member

I know this is from 2 years

I know this is from 2 years ago but did you ever get this to work?


Community Member

Re: Backup peer IP configuration on site-to-site VPN between ASA & SonicWall

Jouni and Mike are correct, but unfortunately this multiple peer IP's is not working if you are using IKEv2.

You can configure it, but in log you will see:


Feb 08 2018 03:38:21: %ASA-4-752009: IKEv2 Doesn't support Multiple Peers
Feb 08 2018 03:38:23: %ASA-3-752006: Tunnel Manager failed to dispatch a KEY_ACQUIRE message.  Probable mis-configuration of the crypto map or tunnel-group.  Map Tag = vpnpeer.  Map Sequence Number = 10.


So probably the only way is to use New Connection Profile / new higher sequence number for the same crypto map with secondary peer configuration.

CreatePlease to create content