How to configure VPN Failover in cisco asa between two ISP for two sites?
There are two options that come to mind. The first one is to use SLA:
route OUTSIDE 0.0.0.0 0.0.0.0 <IP ISP1> 1 track 1 route OUTSIDE2 0.0.0.0 0.0.0.0 <IP ISP2> 100 sla monitor 1 type echo protocol ipIcmpEcho 22.214.171.124 interface OUTSIDE num-packets 3 timeout 1000 frequency 10 sla monitor schedule 1 life forever start-time now track 1 rtr 1 reachability
This will use ISP1 until 126.96.36.199 becomes unreachable. This is helpful if you have a single remote peer for your VPN and you need redundancy with two ISPs.
If you want failover for your VPN and you have multiple remote peers then you can specify multiple peer IP addresses:
crypto isakmp enable OUTSIDE crypto isakmp enable OUTSIDE2 crypto map MY_CRYPTO_MAP 10 set peer <PEER A IP> <PEER B IP>
The ASA will try to establish a VPN with “PEER A IP” and when it fails, it tries “PEER B IP”.