Solved: Backup remote peer

omar.elmohri · ‎11-08-2009

I need to configure my ASA to get a second IP-peer to be as a backup for the VPN IPSec tunnel if the primary fails.

Any one can help?

Thank you.

hdashnau · ‎11-08-2009

Set a second peer in the crypto map:

"Configuring multiple peers is equivalent to providing a fallback list. For each tunnel, the security appliance attempts to negotiate with the first peer in the list. If that peer does not respond, the security appliance works its way down the list until either a peer responds or there are no more peers in the list."

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2193237

If the tunnel is already active and then the first headend fails, it will take a few minutes for the DPDs (dead peer detect) to sense the tunnel is down, but after this the failover should happen automatically; when the primary tunnel negotiations fails, it should go to the backup peer configured.

-heather

View solution in original post

hdashnau · ‎11-08-2009

Set a second peer in the crypto map:

"Configuring multiple peers is equivalent to providing a fallback list. For each tunnel, the security appliance attempts to negotiate with the first peer in the list. If that peer does not respond, the security appliance works its way down the list until either a peer responds or there are no more peers in the list."

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2193237

If the tunnel is already active and then the first headend fails, it will take a few minutes for the DPDs (dead peer detect) to sense the tunnel is down, but after this the failover should happen automatically; when the primary tunnel negotiations fails, it should go to the backup peer configured.

-heather