Showing results for 
Search instead for 
Did you mean: 


Cisco ASA with dual peer on crypto map - failback from secondary to primary peer

Hello team,

We have a deployment with a Cisco ASA 5508 and dual ISP in our HQ, we also have a branch 5505 with single ISP doing a Site to Site VPN against the 5508, so dual peer on crypto map is configured on the 5505 side.


It appears to be working fine when the primary peer is active, then failover to the secondary peer also works fine if the primary ISP fails on the 5508 side.


The problem is when the primary ISP gets restored on the 5508 side, the 5505 would not failback to the primary peer.


Has anybody experiencing something similar? Or does anybody happen to know if there is some documentation stating if this is expected that the firewall will not failback to the primary peer when it gets restored?


I swear I had it working like for 3 years with a previous deployment of two 5505's and very old software version 8.2.5. However, a few weeks ago we had to migrate the HQ to a 5508 with recent software 9.8.4.x and this is when issues started, then we upgraded the software version of the branch 5505 to the last supported version 9.1.x, but issue didn't get resolved.


Any feedback will be highly appreciated.


Thanks in advance and Best Regards!

VIP Advisor

Hi, by default asa won't preeplmpt. You can do this using failover groups.
You look it up in Cisco docs.

**** please remember to rate useful posts
Content for Community-Ad