Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Redundancy ASA Duel ISP at each Location

Hello All,

I was running into issues when deploying some VPN redundancy between 1 main site and 2 remote sites all using ASA to terminate the VPN. Each location has a primary internet connection and a backup internet connection. When the primary connection at the main site fails the backup vpn tunnels come up without an issue. However, when the remote sites primiary internet connection fails tunnels come up from a brief moment and then procede to up and down sporadically.

What I have done in each crypto map is specificed a second peer address at both the main site and the remote sites. I've also enabled the crypto map and isakmp on both outside interfaces. The isakmp state I keep getting during failover is: MM_WAIT_MSG2.

All ASA's are 5505's, however the two remote sites do not have a security plus license. Instead they are using the no forward interface command on the secondary ISP VLAN to the Primary ISP VLAN. This has seemed to work well so far. Solutions I've looked at so far seem to be point at DPD(dead peer detection) or setting the connection type at the head end to originate only. I did try setting the head end to originate only, but this was not possible because the crypto map is associated with both outside interfaces.

I do know that the actual crypto map settings are correct, because they come up on the main internet connection without an issue. Please let me know if you have any suggestions, all are appreciated.

Everyone's tags (2)