Showing results for 
Search instead for 
Did you mean: 

Backup VPN tunnel question


I currently established a VPN tunnel between our New Office to our DataCenter-A that has routing to a far end host in Atlanta.

if our new office needs to access atlanta, it routes through our DataCenter-A location. We have a backup site DataCenter-B that also has access to the Atlanta host. Is it possible to create another VPN tunnel from the new office to DataCenter-B and have it provide failover to Atlanta in case the new office connection to DataCenterA is lost? i was reading this may be possible.. the crytomaps in the new office ASA VPN config would have the same destination IP in atlanta for  both the DataCenter-A and DataCenter-B configurations.


access-list crytomapDC_A  extended permit ip x.x.x.x (lan hosts)   172.x.x.x.x (atlanta host)

access-list cryptomapDC_B extended permit ip x.x.x.xx (same lan hosts)  172.x.x.x.xx(same far end atlanta host)

it would be (2) differet peers as they are different locations.



You should be able to do this from what you described.

The New Office will have two IPsec L2L tunnels (primary to the Data-Center A and backup to Data-Center B) and both will be used to access the Atlanta host.

It is by means of routing that the ASA will decide to use the primary tunnel if available and switch to the backup connection.

Since the interesting traffic on New Office will be the same for both tunnels (to access Atlanta host), you can have something similar to this:

New Office ASAs:

crypto map NAME 10 peer x.x.x.x y.y.y.y

x.x.x.x --> IP of the Data-Center A

y.y.y.y --> IP of the Data-Center B

Hope it helps.


oh wow.. i didnt realize it would be that easy! let me give it a try. thank you Federico!


Can you explain how the ASA would pick the primary vs the backup by means of routing assuming you are not running a routing protocol on the ASA?


Richard Burts
Hall of Fame Guru

The first address given is the primary and the originating device will attempt to establish VPN with it first. The second address given is the backup and the originating device will attempt to establish VPN with it if the primary is not accessible or is not responding. So it is not a question of routing but a question of whether the primary peer is reachable and will respond or not.





Thanks Rick, that make sense.  Now, what if the two tunnels have different crypto maps to each location

Richard Burts
Hall of Fame Guru

If both tunnels have different crypto maps then each tunnel would attempt to negotiate and to go active. If both tunnels are active then there is no primary and backup, they are both active.

I have configured and run an environment where a router had two tunnels, with two instances within the crypto map. So both tunnels became active. I then ran a routing protocol over the tunnels and let the routing protocol select which tunnel would carry the traffic. In this way I was able to have a primary tunnel and a backup tunnel, even though both tunnels were active at the same time.





One of the setup, there are two S2S tunnel between ASA (active/standby) to two different cisco routers. ASA have two physical interfaces (outside-1 & outside-2) whereas two tunnels are terminated. (primary and secondary ISPs).


I want to keep both tunnels are active as clients are initiating the calls from each tunnels (here clients are behind the routers) to reach out the call manager which is behind the ASA firewall.


It’s perfectly working fine and calls are passing through ASA to reach the call manager when one tunnel is active (either primary or secondary). But when bring up other tunnel (when primary up and brought up the secondary tunnel / vice versa), phones are de-registering (call drops). 


I am running BGP on ASA. Interesting traffic and sources networks are the same for both tunnels. Not using any NAT configuration.


Primary DC uses primary tunnel, clients are pointing to primary call manager

Secondary DC uses secondary tunnel, clients are pointing to primary call manager. (fall back configured at call manager anyway)


This is completely new setup. As per observation there is no asymmetric routing issue as both tunnels are up and works with any one tunnel at the same time. Only issue with voice traffic as tunnel dedicated for voip and no other data traffic.


Is there something doable in ASA? Would like to know whether supported feature/design OR limitations at ASA front?


Also looking for alternate recommendation to achieve this.


Your inputs are highly appreciated.

Recognize Your Peers
Content for Community-Ad