Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Firewalls Community


ASA with a secondary route via IPSec (ospf?)


I have a simple requirment that I am hoping somone can kindly validate.

Running an ASA firewall, I would like to achieve the following:

I would like to setup two external routes for my firewall. The primary/default would use the outside interface. Should this route become unavailable, I would like to route via an IPSec LAN2LAN tunnel, using the outside interface.

My Question, can I run ospf over both the outside and VPN tunnel tunnel to achive this routing scenario (seeing as they reside on the same interface, I am a little conceraned) ?

Any advice apprecaited.

Thank you



ASA with a secondary route via IPSec (ospf?)


I think you would need GRE to be able to run routing protocol through a L2L VPN connection.

And ASA cant do IPsec + GRE tunnels like Cisco Routers

So it doesnt really seem possible.

Also I am a bit confused about this purpose. You say you would be using a single interface for both the normal default route and the L2L VPN connection. Wouldnt a failure fail both routes if we presumed this could be done on the ASA alone?

- Jouni


ASA with a secondary route via IPSec (ospf?)

thanks for the reponse.

I have just been looking at the ASDM.

It looks like there is a 'Tracking Option' under the routing section. So, you can add a couple static routes one with a higher SLA ID and then track accriding

Not sure how this will work with a crypto map though, may screw it all up. But worth a test.

As for the purpose, they would share the same outside interface but have two different gatways (LAN Router & ISP Router), however, they are in a failover pair. So if the physical ethernet port / connection fails, the ASA would fail to the secondary unit. The failover unit would then pick up the IPSEC VPN route.

thats my thinking anyways

Viable ?


ASA with a secondary route via IPSec (ospf?)


Sadly I cant really provide much insight to this setup.

But to my understanding you need GRE to be able to run routing through a L2L VPN connection. And as ASA cant do that it is not possible to my understanding.

I still dont understand the setup completely.

Normally your default route would be the ISP Router and if it failed you would start routing towards some LAN Router/L2L VPN. Where would that L2L VPN be connected to?

- Jouni

VIP Mentor

ASA with a secondary route via IPSec (ospf?)

I also don't really understand the scenario ... but the ASA can run routing through a VPN. It's described in the following document:

Still, a router would probably be the better device to achive the desired result.


Don't stop after you've improved your network! Improve the world by lending money to the working poor: