How to configure VPN Failover in cisco asa between two ISP for two sites?
Hello Mustafa,
There are two options that come to mind. The first one is to use SLA:
route OUTSIDE 0.0.0.0 0.0.0.0 <IP ISP1> 1 track 1
route OUTSIDE2 0.0.0.0 0.0.0.0 <IP ISP2> 100
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface OUTSIDE
num-packets 3
timeout 1000
frequency 10
sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability
This will use ISP1 until 8.8.8.8 becomes unreachable. This is helpful if you have a single remote peer for your VPN and you need redundancy with two ISPs.
If you want failover for your VPN and you have multiple remote peers then you can specify multiple peer IP addresses:
crypto isakmp enable OUTSIDE
crypto isakmp enable OUTSIDE2
crypto map MY_CRYPTO_MAP 10 set peer <PEER A IP> <PEER B IP>
The ASA will try to establish a VPN with “PEER A IP” and when it fails, it tries “PEER B IP”.
Rene