Showing results for 
Search instead for 
Did you mean: 

Secondary VPN tunnel for the same source and destination

Madhan Kumar


I have a requirement. I am having a Site-Site vpn tunnel to one of client and up and running. Now my client came with one more different service provider for high availability with one more Firewall. Meaning new Peer IP with different firewall. But the inside servers are same.

From my side source and destination are same and I have to create a one more tunnel for the new peer IP. My qs is since the source and destination are same I belive at a time only one tunnel will take forward the traffic. If I want tp test the secondary tunnel I have to remove the primary tunel and check?.

Can anyone can help me on this typical requirement.



1 Reply 1

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

I believe you are correct - only one or the other can work from your end but not both. The "interesting traffic" will go over the VPN based on first match in your ASA configuration.

Site-site VPNs don't do deal well with dual providers where the provider circuits terminate directly on a Cisco firewall since its routing capabilities are pretty rudimentary. It's usually preferable to terminate multiple providers into an external router that can run BGP or such to choose the best path. But that sort of assumes you have a provider-independent network address of your own.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers