https://community.cisco.com/t5/network-security/ipsec-tunnel-redundancy-solution/m-p/3696558#M12652 <P>Hello,</P> <P>&nbsp;</P> <P>Are you considering a scenario wherein you have dual ISP and you wish to fall back to second ISP for vpn tunnel if the primary ISP fails, then yes it is possible:</P> <P>&nbsp;</P> <P>It will be similar to :</P> <P>&nbsp;</P> <P><A href="https://community.cisco.com/t5/vpn-and-anyconnect/cisco-asa-dual-isp-vpn-redundancy/td-p/1723979" target="_blank">https://community.cisco.com/t5/vpn-and-anyconnect/cisco-asa-dual-isp-vpn-redundancy/td-p/1723979</A></P> <P>&nbsp;</P> <P>If you have any other specific failure scenario in mind, please let us know.</P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp;</P> <P>AJ</P> Tue, 28 Aug 2018 20:56:32 GMT Ajay Saini 2018-08-28T20:56:32Z https://community.cisco.com/t5/network-security/ipsec-tunnel-redundancy-solution/m-p/3696441#M12649 <P>Hello,</P> <P>&nbsp;</P> <P>We currently have a pair of&nbsp;ASA 5510 configured in a failver. We have a Site-To-Site IPSec VPN configured to a remote site. So, hardware-wise, we have a fail-over solution but not a logical one where if the IPSec tunnel were to fail then it would failover to another tunnel. Is there such solution? Are are any recommendations to mitigate IPSec Tunnel failures provided that the primary ASA and the link to the ISP are operational?&nbsp;</P> <P>&nbsp;</P> <P>Thanks in advance.</P> <P>~zK&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 21 Feb 2020 16:09:35 GMT https://community.cisco.com/t5/network-security/ipsec-tunnel-redundancy-solution/m-p/3696441#M12649 zekebashi 2020-02-21T16:09:35Z https://community.cisco.com/t5/network-security/ipsec-tunnel-redundancy-solution/m-p/3696556#M12650 Hi,<BR />You can define a backup peer ip address on the crypto map, which would only be used if the first peer ip address is down. E.g. - "crypto map CRYPTO_MAP 5 set peer 1.1.1.1 2.2.2.2"<BR /><BR />HTH Tue, 28 Aug 2018 20:54:01 GMT https://community.cisco.com/t5/network-security/ipsec-tunnel-redundancy-solution/m-p/3696556#M12650 Rob Ingram 2018-08-28T20:54:01Z https://community.cisco.com/t5/network-security/ipsec-tunnel-redundancy-solution/m-p/3696558#M12652 <P>Hello,</P> <P>&nbsp;</P> <P>Are you considering a scenario wherein you have dual ISP and you wish to fall back to second ISP for vpn tunnel if the primary ISP fails, then yes it is possible:</P> <P>&nbsp;</P> <P>It will be similar to :</P> <P>&nbsp;</P> <P><A href="https://community.cisco.com/t5/vpn-and-anyconnect/cisco-asa-dual-isp-vpn-redundancy/td-p/1723979" target="_blank">https://community.cisco.com/t5/vpn-and-anyconnect/cisco-asa-dual-isp-vpn-redundancy/td-p/1723979</A></P> <P>&nbsp;</P> <P>If you have any other specific failure scenario in mind, please let us know.</P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp;</P> <P>AJ</P> Tue, 28 Aug 2018 20:56:32 GMT https://community.cisco.com/t5/network-security/ipsec-tunnel-redundancy-solution/m-p/3696558#M12652 Ajay Saini 2018-08-28T20:56:32Z https://community.cisco.com/t5/network-security/ipsec-tunnel-redundancy-solution/m-p/3696561#M12653 <P>You may also be able to setup the firewalls in multiple context mode in an active/active state.&nbsp; You could then build an IPSec&nbsp;tunnel from each ASA through the two ISPs&nbsp;and have both tunnels up at the same time.&nbsp;Depending on your routing, you could send some traffic one way, and some traffic the other way. There are some caveats with multiple-contexts, such as you cannot have the same vlan between contexts.</P> <P>&nbsp;</P> Tue, 28 Aug 2018 21:01:50 GMT https://community.cisco.com/t5/network-security/ipsec-tunnel-redundancy-solution/m-p/3696561#M12653 Alex Pfeil 2018-08-28T21:01:50Z