Showing results for 
Search instead for 
Did you mean: 


ASA VPNS to the same subnet

Hi All,

I'd just like to get your opinion on the a weird set up.

I have site A and site B which each have a ASA each. I create 2 VPNS from site A to site B.

My questions is. which VPN would be used for sending traffic? What would be the default behaviour of the ASA in terms of selecting which tunnel it would choose? would it load share?

I dont want to use NAT etc, I just want to know what would happen for lab interest. (My ASA is on loan so I cant test it).

I'm interested as in future I want to make VPN 1 primary and VPN2 as backup.

I look forward to you response

Jouni Forss


I dont think you can have 2 L2L VPNs between the same 2 VPN endpoints (interfaces/IP addresses)

I guess you would need alot more than just the ASAs to create a redundant connection/routing between 2 sites while using L2L VPN.

Perhaps have

  • 2 Internet connections per site
  • 2 ASAs per site
  • 2 L2L VPNs between the sites
  • Use routers on each site behind the ASAs and use GRE+Dynamic routing to select which VPN connection is used.

I must admit I havent had to do even one of these setups as we connect customer networks/sites through MPLS network and dedicated connections. Might be something interesting to lab though at some point.

- Jouni

Hi Jouni,

Thanks for your reply, Let me tweak the question a little. What if we had 1 ASA at site A, and 2 ASAs at site B. We woud then create 2 VPN tunnels:

tunnel1:     Site A ASA1 to Site B ASA1

tunnel2:     Site A ASA1 to Site B ASA2

So the problem is that Site A only has 1 ASA but with 2 VPN tunnels to the same subnet at Site B. How can we find out which VPN would be taken from Site A to Site B. There are 2 VPNS on Site A ASA so just wondering which one it would take to reach site B??? ... just a matter of interest rather than anything else.

So Site A ASA has a tunnel to each of Site B ASAs as peers and each peer encryption domain has the same subnet?  This will depend on the order of the crypto maps you have configured because as soon as the interesting traffic is matched it will fire up that tunnel and it stops there.  Is there any reason why you can't have one VPN peer as active and configure the second peer as the standby?  I'm assuming you're trying to achieve some level of redundancy with 2 active VPN tunnels but I don't believe that will work with ipsec VPNs.

Recognize Your Peers
Content for Community-Ad