Showing results for 
Search instead for 
Did you mean: 

VPN failover


Is it possible to have two VPN endpoints configured in two seperate sites.  One as a primary and one as a DR site.  All VPN peers should connect to the primary site, however if it is unavailble the connect to the DR VPN endpoint?

6 Replies 6


It is possible to have two VPN endpoints in two different sites as long as both sites can reach the same internal network and resources.

For example, if you have Site A and Site B, most likely both sites don't share the same internal network. This is a problem if connecting via VPN to the first site and fails to the second site. (This problem does not happen if both VPN endpoints are on the same location).

It is not impossible to have the failover for the two VPN endpoints on different sites, but you have to be very cautios with the routing (it all depends on the topology).

Let me know if you have any questions.


Thanks for your reply.. both endpoints do share the same internal LAN.. How would you configure this on an ASA?

It depends if the configuration is for Site-to-Site VPN or Remote Access...

Either way, the client or peer needs to point to both IPs of the VPN headend (one having priority), and both VPN headend devices should share the same crypto configuration.

Let me know the details so that I can help you further.


How do you prioritize one headend over another?

For example if yo u have a L2L, then under the crypto map you specify on the peer:

cry map NAME 60 set peer

Assuming the first VPN headend is and the second is

If it's a VPN client, then the VPN software under the backup servers command, you can enable the backup IPs in order of priority.


Perfect thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers