ASA IPSEC VPN - Redundant Peer

In a site to site L2L IPSEC VPN, two ASA firewalls, how can I test the redundant peer connection? I want to make sure that if the main site goes down that the ASA will connect to the other remote peer IP.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan Huseyin KayahanCommented:
Create a temporary route for the destination IP of the main tunnel to some IP other than the default gateway.

route outside x.x.x.x y.y.y.y

where x.x.x.x is the destination IP of the main tunnel and y.y.y.y is some IP (i.e loopback or some random IP of the interface etc.)

Main site tunnel will go down since the tunnel destination is unreachable. Observe if backup tunnel takes over.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Pete LongTechnical ConsultantCommented:
or remove the secondary peer IP from the cryptomap :)


show cry isa
{Take note of the remote Peer}
(remove the redundant peer)
no crypto map outside_map 1 set peer 456.456.456.456
crypto map outside_map 1 set peer
{Make sure the tunnel comes back up with some ping traffic)
show cry isa
{peer should have changed)
{replace the cryptomap again}
crypto map outside_map 1 set peer 456.456.456.456

You could have course down the redundant interface at the remote site.

Alan Huseyin KayahanCommented:
I dont know if ASA will treat incomplete configuration (If peer, intr acl or transform set is missing, CLI will warn "incomplete configuration" untill all 3 are in place) same as unreachable peer when considering to activate the backup tunnel. Unreachable route or ACL restricted outbound traffic towards peer seems to be a better simulation for "main tunnel down".
tolinromeAuthor Commented:
I forgot to mention that there are 3 asa's in this scenario. The main peer connection, which is working fine and the redundant peer ip to the other asa, which is the backup in case the first goes down. Pete, I think I know what youre saying but I want to be able to connect to the redundant peer just to test.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.