Showing results for 
Search instead for 
Did you mean: 

Failing over between two ASAs for site to site VPN

Roman Rodichev
Rising star
Rising star

Locally the are two ASAs, ASA1 and ASA2, in two DCs, so no VPN LB and no FO.

Remotely there's one ASA3

ASA1 has a site to site tunnel to ASA3, and ASA2 has a site to site tunnel to ASA3 with exactly the same encryption domain. ASA3 is configured with ASA1/ASA2 peer IPs *under the same crypto map* as primary and backup peers. In other words, only one of the two IPSEC tunnels will be up at one time, for example ASA1-ASA3

if ASA1 fails, I want the tunnel ASA2-ASA3 to take over.

The question is about routing. Both crypto maps on ASA1 and ASA2 are configured with RRI. RRI will inject remote destination prefix routes even before the tunnel is up. In other words, both ASA1 and ASA2 will inject the routes and they will be redistributed into IGP.

I want the internal network to failover between two ASAs for this traffic and therefore there should be a proper route selection.

My thought process is that if ASA1's peer IP is primary on ASA3's side, then ASA1-ASA3 should be the primary tunnel that is actually up. I should make sure that ASA2 redistributes those static RRI routes into EIGRP with a high enough delay so that even the local router on the inside of ASA2 would prefer the path to ASA1.

If ASA1 actually fails then traffic should failover to ASA2.

But what if ASA1 VPN tunnel fails for some reason, I don't know, maybe the outside interface on ASA1 is down. The RRI route redistribution would probably not change.

Any ideas how to solve this?

5 Replies 5

Marcin Latosiewicz
Cisco Employee
Cisco Employee


Essentially what you're looking for is to have IOS-like RRI functionality. It's the RRI enhancement request I gave you in our other exchnage.

Have a look at workaround configured there, the one with dynamic crypto map is my favorite.

I have another question for you, what happens when ASA2 takes over, after some longer time ASA1 comes back up.

And it starts initiating tunnel to ASA3. It will try to use exact same proxy IDs as the connection which is currently up (between ASA2 and ASA3). ASA1 and ASA2 ideally should be set as responders only (for this crypto map), if you will not go for the dynamic crypto map approach.


I have this working great, but I need to know if the remote site initiates traffic or the hub site initiates traffic. If remote site initiates traffic, I just configure remote site as initiate only, and hub site as answer only. In this case, only that hub ASA will install RRI route that the spoke decided to connect to.

I'm not yet sure what to do in situation when the hub side or both sides initiate the traffic.

Marcin, a follow up question on this. If I convert the hub side from static tunnel to dynamic crypto, the remote site configuration wouldn't have to change. In this case, if I have two hub ASAs, both with dynamic crypto, I'm wondering what will happen to tunnels and RRI. Remote site would pick specific ASA to bring up the tunnel. The hub ASA with the active tunnel would install the RRI route, and the other hub ASA would not. So that's good. Now the question is will this work if only the hub site initiates traffic? Probably not?


Sorry for response, I'm trying to get my mailbox into orde after migration.

You are correct, it will not work the way you would like it to.



I also recived an update from you on another thread but I cannot open it :{

No worries Marcin, the other update was posted from the wrong account, so I deleted it.

Right, obviously in dynamic crypto case client side has to initiate the connection, so that doesn't help me.


Remember that to avoid problems you also need to have respon-only in case of mutliple peers.

What you need is an IOS router or an account manager who can prioritize that enhancement request.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers