Avatar of travisryan
Flag for United States of America asked on

VPN failover between ASA 5510s

Currently I have a network that looks like this:
ASA5510 - - - Internet - - - ASA5510
     |                                             |
EIGRP                                 EIGRP
     |                                              |
2821 -----------MPLS----------1841
The MPLS connection is currently down, I'm trying to run a failover Site-to-Site VPN over the internet. All of the examples I've read have both connections involved in the failover coming out of one device. Since I'm not working that way, what is going to be the best way to failover? Do I need to set up some sort of IP SLA in the config? Or can I somehow weight routes in EIGRP in a way that the connection will failover from Internet to MPLS when the MPLS goes down and vice versa when the MPLS connection comes back up?
This post has a very similar situation, but the instructions weren't detailed enough for me to follow: https://supportforums.cisco.com/thread/2006404

Any help is appreciated as these 2 sites are currently cut off from one another.
Thanks in advance.

Avatar of undefined
Last Comment

8/22/2022 - Mon

You should be able to automatically failover to VPN backup. We are using SLA monitoring because we cannot read the routing tables out from our MPLS providers routers. If you can publish the routes out from your cisco router to the ASA, the you can have automatic failover by relying on the default route, assuming the ASA is your default gateway. Which version of ASA software do you use? EIGRP isn't supported before 8.0.2.

EIGRP has been running on our network for several years now, that's not the issue. I realize I should be able to do failover, but everything I've tried so far has been unsuccessful. Does anyone have a working example of such a failover in place? Even if the networking protocols are different the code might point me in the right direction.


We have working failover. Where is the failover not working? What are the symptoms/problems? When the failover is supposed to work, what are your routing tables on the routers showing? Also, some idea of IPs would be useful. They don't have to be the real IP subnets. What are the other networks and how are they connected? Are they behind the ASA from the MPLS perspective or not?

Our networks are structured as follows

              |                                        |
LAN----ASA                                   ASA----LAN
              |                                        |
            RTR ----------MPLS----------RTR

We are using SLA monitoring as we currently cannot read out the routing tables from the MPLS provider and this works. If we get a failure on the MPLS, our VPNs start working.

I can't provide running configs due to security reasons, but I can run you through your config using the concepts involved.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

Situation was no longer present so troubleshooting was no longer possible.