Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Redundant L2L VPN Tunnel between ASA and 2 IOS Routers ?

we have some ASA and PIX devices connected to an IOS Router in our main datacenter using IPSec L2L tunnels.

Is it possible to create a "backup tunnel" between such an PIX/ASA and an other IOS Router in our backup datacenter ?

We would like the traffic to use the main tunnel if it is up, but to automatically switch to the "backup tunnel" in case the primary one fails. Main and backup IOS Router are located in the same LAN and are talking OSPF. I know it is possible to add multiple peers to a crypto map on the ASA, but I don't know how to route this on the datacenter routers.


Re: Redundant L2L VPN Tunnel between ASA and 2 IOS Routers ?


You can have VPN redundancy between the ASA and two IOS routers.

The ASA can have two peers under the same crypto map and both routers should have a site-to-site with the ASA.

By means of routing, you make one tunnel to be the primary one and the backup to take place if it fails.

Please let us know what questions do you have.


New Member

Re: Redundant L2L VPN Tunnel between ASA and 2 IOS Routers ?

Hi Federico,

thanks for your reply. I am still not sure about the routing.

On the ASA I will have a static route pointing to the ouside interface, won't I ?
How does the ASA decide to use the primary peer if it is up, but to use the secondary in the other case ?

Can I trigger the routes on the routers based on the status of the IPSec tunnel ?
How will the backup router know that the tunnel on the primary router fails
(only that specific tunnel or the primary router's internet line, but not the whole primary router) ?

Thank you in advance for your help.