Showing results for 
Search instead for 
Did you mean: 

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.


CISCO ASA 5505 -VPN failover

HI All,


Out head office in London and we have a branch office in Manchester . We are going to change our ISP soon this means we going to have 200GB primary line and 100GB secondary line.So we will have two public IP address with New ISP lines.

We have a current VPN setup from London to manchester.We are using Sonicwall in London and cisco ASA in Manchester.


My question is how do i configure CISCO ASA to fail over to secondary line, if primary goes down in Headoffice(Manchester has only 1 public IP).I can understand this is something we need to do from sonic wall but Site to site VPN work with one public ip address so do i need to create two VPN tunnel on sonic wall or is there a another way to get around this.


really appreciate if someone can help.






there is several way to do that.

How are you interconnected to each ISP ? static or dynamic routing ?


Here an example :


You might need  Security Plus license.



HI Jerome ,

Sorry for delay,i have seen this before i post this on cisco community.As you seen on the article this has two different line on ASA side .
On my scenario ASA side has only one public ip address but head office has two public IP.
i have seen a another article which mentioned i need to add second peer on crypto map.



Sorry I misunderstood your request.


So, it's simple :

* Head Quarter

- define the tunnel settings on the secondary head end (ike policy, transform set, ACL matching networks ASA sied...)

* Branch ASA

- add the new ike policy if needed

- define the PSK for the new peer HQ

tunnel-group <new_peer_HQ_added> type ipsec-l2l
tunnel-group <new_peer_HQ_added> ipsec-attributes
 ikev1 pre-shared-key *****

- add its IP address as a secondary peer on ASA :

crypto map CR_map 10 match address <acl_networks_HQ>
crypto map CR_map 10 set peer <peer_HQ> <new_peer_HQ_added>
crypto map CR_map 10 set ikev1 transform-set ESP-AES-128-SHA !adapt this if needed


On HQ, since you will have two routes available for ASA networks, you might have to play with metrics to priorise one path over the other.



Hi jerome,


Thanks for reply looks like i have to create a different VPN connection for this new line.

I tired to add the new line public ip to crypto maps current policy as a second peer.once i done this i changed the connection type from bidirectional to originate-only . 

The connection was lost and i had to putty on to asa to change to bidirectional and get back connection again. 


This looks like i have to create completely different policy for this connection .i thought we can easily add second line with public ip.

any thoughts.




If this secondary headend use the same ike policy and encrypt same networks, it's not necessary to create a new whole tunnel setup.

Remember that crypto map need to be bijective : what you expect on ASA side is like a mirror of what you expect on the other side.

If your second VPN server on HQ uses different settings (especially the list of networks expected to come from ASA...) than you might need a second tunnel as you said.



Yes that what i meant. Our head office uses sonicwall and this branch use CISCO ASA. i don't understand why this didn't work when failover to secondary line(Head quartes).

does cisco asa need reboot?

not sure.