https://community.cisco.com/t5/network-security/asa-5505-vpn-failover-over-wan-failover/m-p/1754650#M496189 <HTML><HEAD></HEAD><BODY><P>Hi Jon,</P><P></P><P>Would it be also be possible to specfic different interfaces in the crypto map i.e. <EM>crypto map l2lsites interface outside and <EM>crypto map l2lsites interface outside2.</EM></EM></P><P></P><P><EM><EM>As the WAN failover would switch over to outside2?</EM></EM></P><P></P><P><EM><EM><BR /></EM></EM></P></BODY></HTML> Mon, 10 Oct 2011 16:02:01 GMT John Peterson 2011-10-10T16:02:01Z https://community.cisco.com/t5/network-security/asa-5505-vpn-failover-over-wan-failover/m-p/1754648#M496187 <P>Hi,</P><P></P><P>Hopeing someone can point me in the right direction, I have a ASA 5505 which is connected to a remote site which also has a ASA 5505 over a L2L VPN tunel. One of the sites has a WAN failover configured with two ISP which is working successfully. </P><P></P><P>But, when the WAN connection fails over to the backup connection the VPN link breaks as the peer site IP address has changed and the VPN can not establish a connection. </P><P></P><P>Would it be possible to configure a VPN failover so that when the connection failovers so will the VPN tunnel?</P><P></P><P>Thanks</P> Mon, 11 Mar 2019 21:35:42 GMT https://community.cisco.com/t5/network-security/asa-5505-vpn-failover-over-wan-failover/m-p/1754648#M496187 John Peterson 2019-03-11T21:35:42Z https://community.cisco.com/t5/network-security/asa-5505-vpn-failover-over-wan-failover/m-p/1754649#M496188 <HTML><HEAD></HEAD><BODY><P>John</P><P></P><P>When you use the "crypto map <MAPNAME> <INDEX number="">&nbsp; set peer x.x.x.x" you can specify multiple peer IPs to use as a fallback list ie. it tries the first IP and if that fails then the next etc. So you could try - </INDEX></MAPNAME></P><P></P><P>crypto map <MAPNAME> <INDEX> set peer x.x.x.x y.y.y.y&nbsp; &lt;--- where y.y.y.y is the backup Wan IP.</INDEX></MAPNAME></P><P></P><P>Jon</P></BODY></HTML> Mon, 10 Oct 2011 15:40:42 GMT https://community.cisco.com/t5/network-security/asa-5505-vpn-failover-over-wan-failover/m-p/1754649#M496188 Jon Marshall 2011-10-10T15:40:42Z https://community.cisco.com/t5/network-security/asa-5505-vpn-failover-over-wan-failover/m-p/1754650#M496189 <HTML><HEAD></HEAD><BODY><P>Hi Jon,</P><P></P><P>Would it be also be possible to specfic different interfaces in the crypto map i.e. <EM>crypto map l2lsites interface outside and <EM>crypto map l2lsites interface outside2.</EM></EM></P><P></P><P><EM><EM>As the WAN failover would switch over to outside2?</EM></EM></P><P></P><P><EM><EM><BR /></EM></EM></P></BODY></HTML> Mon, 10 Oct 2011 16:02:01 GMT https://community.cisco.com/t5/network-security/asa-5505-vpn-failover-over-wan-failover/m-p/1754650#M496189 John Peterson 2011-10-10T16:02:01Z https://community.cisco.com/t5/network-security/asa-5505-vpn-failover-over-wan-failover/m-p/1754651#M496190 <HTML><HEAD></HEAD><BODY><P>Yes you can apply different crypto maps to different interfaces if that is what you are asking but you would need to make sure that if you wanted the traffic to go via outside2 for failover then traffic is routed that way on the ASA.</P><P></P><P>Jon</P></BODY></HTML> Mon, 10 Oct 2011 19:10:44 GMT https://community.cisco.com/t5/network-security/asa-5505-vpn-failover-over-wan-failover/m-p/1754651#M496190 Jon Marshall 2011-10-10T19:10:44Z https://community.cisco.com/t5/network-security/asa-5505-vpn-failover-over-wan-failover/m-p/1754652#M496191 <HTML><HEAD></HEAD><BODY><P>Thanks,</P><P></P><P>would the ASA choose the next interface is it can't connect.</P><P></P><P>I'm looking to do something like this:</P><P></P><P><EM>crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac<BR /> crypto map l2lsites 10 match address acl-l2l-ny<BR /> crypto map l2lsites 10 set peer XXX.XXX.XXX.XXX<BR /> crypto map l2lsites 10 set transform-set esp-3des-md5<BR /> crypto map l2lsites interface outside</EM></P><P><EM><EM>crypto map l2lsites interface outside_failover</EM></EM></P><P></P><P><EM><EM><EM>crypto isakmp enable <EM>outside</EM></EM></EM></EM></P><P><EM><EM><EM><EM><EM><EM><EM>crypto isakmp enable <EM>outside_failover</EM></EM></EM></EM><BR /><BR /></EM></EM></EM></EM></P><P></P><P>In which case when the internet connection fails over the VPN the ASA would know that outside is down and then its try outside_failover.</P><P></P><P>I'm right in thinking this is how it would work?</P></BODY></HTML> Tue, 11 Oct 2011 07:08:39 GMT https://community.cisco.com/t5/network-security/asa-5505-vpn-failover-over-wan-failover/m-p/1754652#M496191 John Peterson 2011-10-11T07:08:39Z https://community.cisco.com/t5/network-security/asa-5505-vpn-failover-over-wan-failover/m-p/1754653#M496192 <HTML><HEAD></HEAD><BODY><P>Also how about the tunnel group?</P></BODY></HTML> Wed, 12 Oct 2011 13:21:21 GMT https://community.cisco.com/t5/network-security/asa-5505-vpn-failover-over-wan-failover/m-p/1754653#M496192 John Peterson 2011-10-12T13:21:21Z https://community.cisco.com/t5/network-security/asa-5505-vpn-failover-over-wan-failover/m-p/1754654#M496193 <HTML><HEAD></HEAD><BODY><P>I managed to get it working, like so</P><P></P><H1 style="text-align: center; font-size: 20px; color: #000000; font-family: Verdana, Arial, Helvetica, sans-serif; background-color: #ffffff;"><A href="http://www.petenetlive.com/KB/Article/0000544.htm"><STRONG>Cisco ASA/PIX 8.x: Redundant or Backup ISP Links</STRONG> with VPNs</A></H1><P></P><P>Pete</P></BODY></HTML> Mon, 12 Dec 2011 15:02:52 GMT https://community.cisco.com/t5/network-security/asa-5505-vpn-failover-over-wan-failover/m-p/1754654#M496193 Peter Long 2011-12-12T15:02:52Z