Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
967
Views
0
Helpful
1
Replies

VPN failover using 2 ISP internet lines

admin_2
Level 3
Level 3

‎11-08-2009 03:46 PM - edited ‎03-11-2019 09:37 AM

Hi, Can anyone tell me how to setup automatic VPN failover using 2 seperate ISP circuits. Eg, Our Local office has 2 different internet lines conneced to an ASA5510. we VPN from this office to all other remote locations. All traffic originates here.

Circuit 1 is primary (default Gateway). I use SLA montoring/Route Tracking to monitor remote office public IP's on ASA. When circuit 1 fails, the default route then goes out Circuit 2 and sets up a new tunnel. All this works as expected.

The problem is that the crypto maps on the remote ASA will still try to route all traffic destined the local office back to Circuit 1 IP as it is listed first on the interface crypto map.

what i then see on the remote ASA is 2 tunnels up to both circuit 1 and 2.

I cannot add an additional tunnel peer on the remote end as traffic does not originate there. any ideas?

Labels:
0 Helpful
1 Reply 1

JORGE RODRIGUEZ
Level 10
Level 10

‎11-20-2009 01:05 PM

Hi,  not sure if you found resolution to your problem if so let us know how u solved it , if not perhaps try enabling DPD (dead peer detection) at both ends,  DPD should sense primary tunnel  down and  automatically initiate the secondary tunnel per  fallback second peer configured  and route through backup link .  just a thought… may want to try it see if that helps.

Regards

Jorge Rodriguez
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card