I haven't tried anything, as I don't even know where to start.... like I mentioned, single tunnels, fine with.... two parallell, no idea? 

Working in ASDM too, so not a CLI specialist on the ASA's.

Do I just setup 2x tunnels as normal and link them together with VTI or policy based VPN ? 

Will have a look into those two points (never used them, again, new to ASA's, first time being asked to do anything complicated). 

You need to use vti in both sides 

And use BGP to prefer one path than other.

That all what you need 

MHM

both replying at the same time

Will look at the far end peering via BGP also (they currently don't) 

When you meant VTI on both sides, it that between ASA and ISP1, then ASA and ISP2... or just configure on the ASA side for both tunnels?

Looking at VTI.... this looks interesting... we use crypto maps. 

So I basically build 2 tunnels normally using VTI, then I can just static route out to whichever tunnel and weight the primary so it's primarily selected?

Apologies again, all new to me, I don't even know the relevant terminology.

You can use static route and weight it via one vti' but I prefer bgp it more fast and easy for failover if vti is down.

MHM

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212478-configure-asa-virtual-tunnel-interfaces.html

MHM

Thank you, will look into both options! 

Also, thank you for the doc link !

Friend you are welcome 

MHM

@Youreateapot418 the most elegant solution is to use VTI's with a routing protocol, but you can achieve the samething using crypto maps. On the spoke you define two peers, when the primary tunnel fails the ASA will failover to the secondary tunnel.

crypto map CMAP 1 set peer <primary ip> <secondary ip>

If you wish to fail back to the primary VPN tunnel when it is backup, you can use preempt. https://integrate.uk.com/asa-vpn-preempt/

Thanks Rob, I will look into this also! I'll be kicking myself if it's as simple as building a second tunnel separately, and just adding the secondary IP into Tunnel 1's crypto map.

@Youreateapot418 you don't build/configure a second tunnel, you add the secondary ip to the existing tunnel (on the spoke ASA). If the tunnel vis the primary goes down, it attempts to re-establish the tunnel but to the secondary IP.

You will also have the configure the routing on the DC side with the 2 ISP links, to failover routing if the primary link goes down.

ah! 

can this tunnel have a different key also, or does it need to be the same? (there doesn't appear to be an option for this in ASDM, so probably have to do it at CLI level)

@Youreateapot418 the DC side (the ASA with 2 ISPs) would still establish a tunnel to the same IP address of the spoke ASA (the ASA with 1 isp), so having different PSKs would not work in this scenario. Certificates are stronger if you are concerned about security.