Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN Failover - Router, ASA or both?


Background - at the moment we have 64k links to branch sites with cisco routers at both ends (3600 central, 1841 remote). These low bandwidth links are  very costly and not fast enough to run email/internet applications therefore we also have a seperate VPN network at each site where machines that need these applications are configured to use. (ASA 5500 central on a 10mb Fibre, ASA/PIX at remote sites on a DSL connection).

I am looking to tidy this up and consolidate into one reliable network. My question is, is there a router that can do the following:

  • Connect to two ISP's - I would like two links at each site.. be it a Leased Line & DSL or two DSL connections
  • VPN Connection to central ASA 5500 with Automatic Failover i.e if an Internet link goes down the VPN will re-establish on the other
  • Firewall - or would I be better in keeping the ASA's curerntly at the remote sites? If so.. how should they be configured along with the router & VPN?
  • QOS should we decide to look at VOIP in the future.

I have looked at the Cisco 1921 router, would this be suitable?

Thanks in advance for any advice.


Re: VPN Failover - Router, ASA or both?

Look on the Cisco site for document Id 41940. If you are not running public ally addressable services at the remote sites, then a router is all you need, IMHO.

Sent from Cisco Technical Support iPad App

Community Member

VPN Failover - Router, ASA or both?

Thanks I'll take a look

We do have overnight CCTV monitoring at some sites so the router/firewall will need to be publicly accessible.


VPN Failover - Router, ASA or both?

1- Get rid of ASA for VPN termination endpoint because they can not do GRE/IPSec or VTI.

2- you only need routers even if the routers have Internet facing.  As long as  you configure the routers properly, no need to worry about since these routers are used to terminate IPSec and nothing else.

3- With routers, you will be able to utilize multiple ISP connectivity for GRE/IPSec or DMVPN and do just about everything you want.  Things that ASA can not provide. Not to mention QoS as well.

CreatePlease to create content