Those without the luxury of having BGP enabled on your circuits can’t take advantage of keeping the same externally advertised IP while failing over between ISP’s. I had a client with two sites where HQ had BGP but a sister site did not. So, when the sister site’s primary ISP went down so would the Site-to-Site VPN to the HQ. Fortunately, Cisco has made it super easy for those using the ASA operating system as the termination point instead of a Router to automatically activate a “backup” VPN.
So, we have Site A (HQ) with external IP 188.8.131.52 (BGP) and Site B (Sister) with external IP 184.108.40.206 for the Primary ISP and 220.127.116.11 for the Secondary ISP. As we stated the VPN works great when the sister site is on the primary ISP with external IP 18.104.22.168. But, when that ISP goes down and moves to the secondary the advertised external IP goes to 22.214.171.124. To have the VPN come up automatically when things move over to the secondary ISP run the following commands on the ASA sitting in Site A (HQ).
crypto map <usethevpnmapname> <usethevpnmapseqnumber> set peer 126.96.36.199 188.8.131.52
tunnel-group 184.108.40.206 type ipsec-l2l
tunnel-group 220.127.116.11 ipsec-attributes
That’s all it takes! The next time the sister site fails over to the backup ISP the S2S VPN will come up within a minute or two.
-Justin Vashisht (3cVguy)