I'm curious if anyone has thoughts about how to design this. I'm working with a customer who is going to be connecting a few branches back to the main office via L2L VPNs. Because they have a DR site that's connected to the main office via a PTP circuit I want to use secondary gateways on my crypto maps on the branch firewalls so they can fail over to the DR site if the main site goes offline.
That much is easy. The problem is that when using secondary tunnels the VPN tunnels won't automatically fail back over to the primary when it becomes available again. They'll just churn along happily using the secondary. I'll want them to fail back to the primary.
So I have two questions. First, if I set the lifetime on the SA to something like four hours would that mean that it would fail back to the primary, if it's available, after the timer expires and the tunnel re-establishes?
Second, is there a better way of doing this?
I should add that I ran across documentation that suggested using tracked routes for this, making the one to the primary site the preferred route. That may work but my concern is that because these sites will get their internet through the primary and DR sites (via hairpin) I can't really tie the default route to a track like that. The ASA's default routes will have to be their local internet provider's gateway.
Thanks