Showing results for 
Search instead for 
Did you mean: 

Creating VPN failover on Cisco ASA (single ISP)

I have a single Cisco ASA (8.4) shown on the left and I currently have two site-to-site VPNs setup to the two third party firewalls shown on the right.

A new circuit has been installed between the two third party sites and I would like to add the ability for the VPN/routing to failover to the other VPN in the event of losing one of the VPNs/third party firewalls.

For example if the top right firewall was to stop working, VPN 1 would drop and traffic destined for would go via VPN 2.

I'm struggling to find any documentation on how to set this up, which leads me to think it may not be possible using the Cisco ASA, hense the reason for posting here. If you don't know then nobody does.

Can someone point me in the right direction or give a name to what I am trying to achieve so I can find some examples please.




Hi Nicholas,

This can be achieved by using a second peer on the proper crypto map.

This is how it should look like:

crypto map mymap 10 set peer x.x.x.x y.y.y.y

You can take a look at this link if you need additional information:

Thanks - So essentially this would just create the VPN1 alongside VPN2. So we'll have two tunnels one carrying the <-> traffic and another carrying the <-> traffic?

I find the post a bit unclear and would like to understand a couple of things better. The original post says that there are already two VPN tunnels set up and running. But it tells us little about them. Are they both connected for the same enterprise? Is there a common set of resources reached through them? Or is there a unique set of subnets through one and a different set of subnets through the other?

It is also not clear how they are connected. The addressing given implies that both peers are on a common subnet. Is that the case? Also the original post indicates a new circuit is installed. But it is not clear what is connected by the new circuit and how that might impact connectivity between these peers. Can you provide some clarification?

I am concerned about the suggestion of configuring a second address on the set peer statement. Are we suggesting that one crypto map statement will use

set peer

while the other crypto map statement will use

set peer

In that case if one of the peers fails it will result in the ASA trying to establish two tunnels to the same remote device. And in my experience that is not supported.




Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: