Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN Failover within the same ASA

Hi Everyone,

I'm working out a concept here and want to know if this can be done. On an ASA I would like to have 2 different interfaces connect to 2 different ISP's - one primary, one backup. As well I will be running VPN tunnels across the links.

What I want to know is if I have a tunnel established over ISP A to our remote site, and it fails, is there a way to have the state information and tunnel moved over to ISP B, on the same ASA device?


Community Member

Re: VPN Failover within the same ASA

I don't think you will be able to transition a VPN from one IP address on one interface to another IP address on another interface in the event of a failure. The best thing you could do from a redundancy standpoint would be to have an address range that is advertised via BGP to both ISP's. In the event of a connectivity failure, the address would not change (only the route).

To further increase redundancy, use two ASA's capable of A/S failover. This will keep state information between the two devices, but that's not exactly what you are asking for.

CreatePlease to create content