cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1433
Views
0
Helpful
1
Replies

How DO I create secondary failover ipsec tunnel on ASA

dbuckley77
Level 1
Level 1

Our current situation is that we have an operational VPN tunnel between a Palo Alto PA 3020 at our primary site and a Cisco ASA 5505 at our satellite site.  We have implemented ISP redundancy and redundancy for this tunnel on the PA 3020.  I need to know how to add to the existing ASA5505 config so that if the primary site fails over to the secondary ISP connection the Cisco will switch the tunnel to the secondary peer IP address and I have never done this before.  We are not concerned with any type of internet redundancy at the site with the ASA.  It's only one way so that if the primary ISP goes down at the Palo Alto site the Cisco sees this and switches it's end of the tunnel to the new peer IP.  Hope this is all clear.  Thanks.

1 Reply 1

balaji.bandi
Hall of Fame
Hall of Fame

Cisco ASA  Point of view, you create a another tunnel using another ISP,

So you have 2 tunnels here

You can create a IP SLA Tracking for the Links and if one faile you can auto failover to other tunnel and cleaning the NAT tables.(there may be small blip in the connection).

 

you can use example for the IP SLA tracking.

 

https://learningnetwork.cisco.com/blogs/vip-perspectives/2018/07/27/cisco-asa-site-to-site-vpn-failover

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help