IPsec VPN Failover


(Mustafa A) #1

How to configure VPN Failover in cisco asa between two ISP for two sites?


(Rene Molenaar) #2

Hello Mustafa,

There are two options that come to mind. The first one is to use SLA:

route OUTSIDE 0.0.0.0 0.0.0.0 <IP ISP1> 1 track 1
route OUTSIDE2 0.0.0.0 0.0.0.0 <IP ISP2> 100


sla monitor 1
 type echo protocol ipIcmpEcho 8.8.8.8 interface OUTSIDE
 num-packets 3
 timeout 1000
 frequency 10

sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability

This will use ISP1 until 8.8.8.8 becomes unreachable. This is helpful if you have a single remote peer for your VPN and you need redundancy with two ISPs.

If you want failover for your VPN and you have multiple remote peers then you can specify multiple peer IP addresses:

crypto isakmp enable OUTSIDE
crypto isakmp enable OUTSIDE2

crypto map MY_CRYPTO_MAP 10 set peer <PEER A IP> <PEER B IP>

The ASA will try to establish a VPN with “PEER A IP” and when it fails, it tries “PEER B IP”.

Rene