Cisco ASA S2S VPN & ISP Failover

Those without the luxury of having BGP enabled on your circuits can’t take advantage of keeping the same externally advertised IP while failing over between ISP’s.  I had a client with two sites where HQ had BGP but a sister site did not.  So, when the sister site’s primary ISP went down so would the Site-to-Site VPN to the HQ.  Fortunately, Cisco has made it super easy for those using the ASA operating system as the termination point instead of a Router to automatically activate a “backup” VPN.

So, we have Site A (HQ) with external IP (BGP) and Site B (Sister) with external IP for the Primary ISP and for the Secondary ISP.  As we stated the VPN works great when the sister site is on the primary ISP with external IP  But, when that ISP goes down and moves to the secondary the advertised external IP goes to  To have the VPN come up automatically when things move over to the secondary ISP run the following commands on the ASA sitting in Site A (HQ).

crypto map <usethevpnmapname> <usethevpnmapseqnumber> set peer

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key <entertheexistingpresharedkey>

That’s all it takes!  The next time the sister site fails over to the backup ISP the S2S VPN will come up within a minute or two.

-Justin Vashisht (3cVguy)

, , , ,

No comments yet.

Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.

Powered by WordPress. Designed by Woo Themes