Internet Failover from T-1 to Cable Connection


 Was wondering if it's possible to do the following:

A remote site has a T-1 connection running a LAN to LAN VPN to our main site from ASA5510  to ASA 5510. (Internally we have a 2600 series switch). In the event this connection goes down - we would like to configure a business class cable internet connection for failover. Cable company provides a modem - connection to an 800 series router (all manged by them). Is there any way, through routing policy or something, that I can have the ASA failover the VPN over from the T-1 to the business internet connection automatically in the event of a T-1 outage?  

At the very least, can i have individual users failover via ANYCONNECT VPN if I can get the business class cable connection to be live on the network?  

I guess I am wondering if the ASA can handle 2 connections and can handle failover (and retain the IPSEC tunnel in the process).  If not, can I at least retain internet access (even if I have to kickstart the VPN tunnel). I have been told I can put the cable connection in bridged mode?

Any help?  Thanks!

PS - I CAN get a router if I need to... I have a 2800 series to spare. AND I have a second ASA 5510 to spare.

Who is Participating?
MikeKaneConnect With a Mentor Commented:
Whichever side of the VPN will be implementing the ISP failover would have to be dynamic.   Since it could try to establish a VPN tunnel from either the primary ISP IP or the secondary ISP IP.  The remote side would have to have the static

On the ASA WAN side, it would need to use the routable IP provided by the ISP.   I don't recall seeing a setup like this except with a managed router in between the ASA and the ISP....  

kmk2123Author Commented:
Also forgot to mention that we have private IP space from ARIN. I can use a dedicated /24 if need be.

The ASA can failover from a primary ISP to a secondary ISP.        Cisco has a HOW to on it right here:

Please note that you need to have at least the version indicated 7.x.    And you need to have a 5510 or better.    

When the failover happens, only outbound traffic will function.    Inbound traffic will still be trying to hit the ip block from the original ISP.   This includes  Anyconnect clients on the outside.          All Site to Site IPSEC tunnels will not function since the Peer IP of your ASA will change to reflect the secondary ISP configuration.     The only way around the site to site issue is to use a dynamic to static VPN tunnel where this side is dynamic and the remote end is static.    The cons...  only this side can initiate the tunnel, the other side can not.
kmk2123Author Commented:
Gotcha - so just to be clear. The VPN tunnel would have to be initiated from the Remote site (rather than my main site)? MAIN SITE: STATIC -------> REMOTE SITE DYNAMIC?

However, could I not set the ASA device to use my own /24 from Arin? Although I would assume on the ASA WAN side, it would need the provider IP's, not my own...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.