Cisco ASA - backup VPN connection failover

A customer has an existing Cisco ASA (ASA1) providing primary Internet and remote site VPN connectivity. One of the site-to-site VPN connections (Site X) is critical to the organization, so they need to implement a backup/failover VPN to Site X using a 2nd ASA (ASA2) connected to another ISP.  Both ASAs are in-place (ASA2 currently only handling an incoming remote VPN connection).

We need to somehow configure failover for the Site X VPN - if ASA1 (or its ISP connection) fails, we need the traffic destined for Site X to automatically failover to the Site X VPN through ASA2/ISP2. We don't care about load-balancing at this point, just failover for VPN connectivity.

Thanks, and as always, reference docs/links are appreciated!
cfan73Asked:
Who is Participating?
 
MikeKaneConnect With a Mentor Commented:
For the remote site, I think you need 2 things.

First, you need to make sure you've setup the redundant ISP config on the ASA.  
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
With that, if the primary ISP fails, the 2nd ISP becomes active as the default gateway.  

Second, in the VPN config at the remote site, you need to add the 2nd ASA IP as the 2nd peer address.  

You probably have a "CRYPTO MAP <name >  SET PEER x.x.x.x" setup in the VPN section.     You just add the 2nd IP inline.  "CRYPTO MAP <name> SET PEER x.x.x.x y.y.y.y"
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2066090
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.