Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Redundency with IPSec Tunnels

I need some assistance in proper;y setting up a failover tunnel on spoke connections. We have ASA's located at two separate data centers. I would like for a router @ a remote location to fail over to a separate ASA, giving the initial tunnel goes down.

I am thinking that I should utilize one of these two ways:

crypto map tohub 1 ipsec-isakmp

set peer default

set peer

set security-association idletime 120 default



crypto map tohub 10 ipsec-isakmp

set peer

crypto map tohub 20 ipsec-isakmp

set peer


Is it possible and would I need to setup two RSA keys on the remote routers.


Any help would be greatly appreciated.


Re: Redundency with IPSec Tunnels

Hall of Fame Super Silver

Re: Redundency with IPSec Tunnels


While both configs would be possible I believe that the first one is closer to providing the functionality that you describe of failing over to the other peer if the first one fails. The first alternative has a single tunnel and is a bit more simple. In the second approach you are configuring 2 tunnels. And they both will be active all the time.

I have done a project for a customer where we did something similar. In that case we chose to configure 2 tunnels. We also configured the IPSec VPN to run with GRE. We run a dynamic routing protocol over the GRE tunnel and the choice of which tunnel to send traffic over and the automatic detection of loss of a peer and failover to the other peer is handled by the routing protocol. This works fine but it does introduce some complexities not present in the single tunnel approach.



New Member

Re: Redundency with IPSec Tunnels

Its not RSA keys that you define, its preshared key.

you can define 2 peers in just 1 statements, if peer 1 cannot be contacted then it will try and negotiate phase 1 with peer 2 , you can define upto 5 peers (i believe)

depending on how your routing is setup you might also need to add a floating static for the peer 2.

New Member

Re: Redundency with IPSec Tunnels

Thanks for all the replies.

I was talking to a guy from Cisco and he told me that the first one is the best, but i need to make sure that each ASA has the same root certificate.

Does anyone have any insight on this.

CreatePlease to create content