Showing results for 
Search instead for 
Did you mean: 

Remote site redundancy with multiple ADSL lines connecting to datacentre via IPSEC VPN

We are looking into options for improving resiliency at our remote sites.  At the moment, they typically have an 800 series router and single ADSL line at our remote branches, connecting to the headend ASA firewall in the datacentre via IPSEC VPN.

At some geographical locations, ADSL is really the only option (without spending a LOT of cash) so, although there are limitations to it, the only possibility may be to have a 2nd ADSL line at these locations via a 2nd ISP.

The question is, what would be the best/most cost-effective way of achieving resilience with 2 ADSL lines at our branches?  The problem I can see is getting the headend ASA to "realise" when the primary ADSL connection is down and to use the secondary ADSL instead?

Maybe we could have e.g. a Cisco1921 with 2 x ADSL WIC cards and select one of them as the "backup" interface, tracking the primary?  (then rely on Dead Peer Detection at the ASA with each peer defined in the crypto map)   Is that possible?   If so, I guess the main issue with that would be that we would only have a single router so no hardware redundancy?

The other option might be simply to "double-up" and get another Cisco 800 series router and connect it to the 2nd ADSL line.  I could see how we could use HSRP (tracking the primary router and ADSL line) to take care of the branch traffic.  But, as above, we'd be left with the problem of how the headend ASA would "know" when the primary had failed (and/or when it came back up again?) 

Any thoughts/suggestions on best way of achieving resilience with 2 ADSL lines at a remote site and IPSEC VPN connectivity to a headend ASA?


One thing you should consider is path redundancy. Typically multiple Adsl providers will use the wire plant of the ilec to deliver the circuits. So while you will wind up with multiple providers, you really will only improve your uptime if your existing provider is having internal issues. If your primary downtime is because of fallen trees or backhoes, you may be achieving very little.

If possible you should investigate cable modems. While path redundancy is still an issue, at least you will have separate headends for the devices to talk to.

Sent from Cisco Technical Support iPad App