I have a single Cisco ASA (8.4) shown on the left and I currently have two site-to-site VPNs setup to the two third party firewalls shown on the right.
A new circuit has been installed between the two third party sites and I would like to add the ability for the VPN/routing to failover to the other VPN in the event of losing one of the VPNs/third party firewalls.
For example if the top right firewall was to stop working, VPN 1 would drop and traffic destined for 192.168.0.2 would go via VPN 2.
I'm struggling to find any documentation on how to set this up, which leads me to think it may not be possible using the Cisco ASA, hense the reason for posting here. If you don't know then nobody does.
Can someone point me in the right direction or give a name to what I am trying to achieve so I can find some examples please.
Thanks - So essentially this would just create the VPN1 alongside VPN2. So we'll have two tunnels one carrying the 192.168.0.1 <-> 192.168.0.2 traffic and another carrying the 192.168.0.1 <-> 192.168.0.3 traffic?
I find the post a bit unclear and would like to understand a couple of things better. The original post says that there are already two VPN tunnels set up and running. But it tells us little about them. Are they both connected for the same enterprise? Is there a common set of resources reached through them? Or is there a unique set of subnets through one and a different set of subnets through the other?
It is also not clear how they are connected. The addressing given implies that both peers are on a common subnet. Is that the case? Also the original post indicates a new circuit is installed. But it is not clear what is connected by the new circuit and how that might impact connectivity between these peers. Can you provide some clarification?
I am concerned about the suggestion of configuring a second address on the set peer statement. Are we suggesting that one crypto map statement will use
set peer 192.168.0.2 192.168.0.3
while the other crypto map statement will use
set peer 192.168.0.3 192.168.0.2
In that case if one of the peers fails it will result in the ASA trying to establish two tunnels to the same remote device. And in my experience that is not supported.