Solved: Reece,

Reece Boucher · ‎06-29-2016

Greetings,

I have a pair of ASA5510's that are used to terminate IPSec LAN-LAN VPN's (active-standby) using static routing. I have a trading partner who wants to have a primary and a failover VPN (he has 2 different endpoints) so I understand I will need to setup 2 different VPNs.

My issue is with the routing. How do I get traffic to use the primary link all the time and only bring up the secondary when the primary fails? And to failover back to the primary again when it is restored?

Weighted routes were mentioned (won't cover the fail-back) but the destination is the same in both instances (next hop is the external gateway address).

Thanks heaps.

Reece.

angmuril · ‎06-30-2016

Hi Reece,

You can use the crypto map command to add both IP addresses in the remote end:

"crypto map <mapname> <#> set peer <x.x.x.x> <y.y.y.y>"

The ASA will try to negotiate with peer "x.x.x.x".

If "x.x.x.x" is down or doesn't respond, it will try to negotiate with "y.y.y.y"

Let me know if that helps!

View solution in original post

angmuril · ‎07-05-2016

Reece,

I forgot to tell that you need to configure a tunnel-group for "y.y.y.y" as well with the pre-shared-key.