ASA 5505 Peer Settings, originate only for a redundant peer IP?

I have a 5505 with a vpn tunnel to the main site, this is the primary IP in the crypto map. The redundant IP in the crypto is to another firewall. The thought was that if the primary vpn tunnel goes down, or the primary IP is not reachable for any reason then the 5505 would automatically connect to the secondary redundant IP in the crypto map, the secondary firewall. But, upon further reading it seems that the connection type on the 5505 would need to be set as "connection-type originate-only". Is that true? I had it set as bidirectional. In the ASDM, when you edit the crypto map it says:

 "Uni-directional connection type policies are used for LAN-to-LAN redundancy. Tunnel policies of the "Originate Only" connection type may specify up to 10 redundant peers".

So if my purpose is for the 5505 to connect to a primary 5520, and if that isn't available to connect to another 5520, then I would use the "originate only" on the 5505? Would I change the 2 other crypto maps on the other firewall listening to "answer only"?

crypto map outside_map1 2 match address outside_cryptomap
crypto map outside_map1 2 set pfs group5
crypto map outside_map1 2 set peer "ASA 5520 #1 IP Address" "ASA 5520 #2 IP Address"
crypto map outside_map1 2 set ikev1 transform-set TransformSet
crypto map outside_map1 2 set nat-t-disable


Thanks.
LVL 7
tolinromeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
Whenever I've set this up before - I've never set originate-only and I've not had a problem, though I'm usually seting both peer addresses to two addresses on the SAME firewall (i.e, ISP failover)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tolinromeAuthor Commented:
Thanks, I'll take a look at the article you inserted.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.