Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dual ISP with VPN failover

I have a remote site that has a 2851 currently with a single ISP and VPN site-to-site back to my HQ.  I would like to add a second ISP at the remote site for fail-over as the Internet connection at the location is somewhat unstable.  My HQ is fully redundant already with dual ISPs and eBGP.  To comply with corporate policy I tunnel all traffic back to HQ for inspection, content filtering, SSL decryption, etc.  I'd prefer to use a tunnel interface with this setup as I can do more with ACLs and security opposed to crypto-maps.

Is it possible in the IOS to do the following?

  1. Establish a site-to-site tunnel using ISP1 and aggressive mode (works easier at HQ when 2 ISPs are invloved) back to HQ.
  2. If ISP1 fails detect and switch over to ISP2.
  3. Re-establish the VPN tunnel with ISP2 back to HQ.
  4. Detect ISP1 is back up and flip back.

I could do this with 2 routers and HSRP but that would involve changing the way things work at HQ with the routing and I would like to avoid that if possible to not introduce more changes.  Any thoughts on how to do it would be appreciated.  Thanks in advance.


Everyone's tags (1)
New Member

HI did you get the solution ?

HI did you get the solution ?


i am also looking forward for a solution to get the VPN fail over, right now  have 2 routers each connected to different ISP with static ip. INternet fail over is working fine and even VPN tunnel is also fine but i do not know how to configure the VPN failover... do you have any idea about it ?