Those without the luxury of having BGP enabled on your circuits can’t take advantage of keeping the same externally advertised IP while failing over between ISP’s. I had a client with two sites where HQ had BGP but a sister site did not. So, when the sister site’s primary ISP went down so would the Site-to-Site VPN to the HQ. Fortunately, Cisco has made it super easy for those using the ASA operating system as the termination point instead of a Router to automatically activate a “backup” VPN.
So, we have Site A (HQ) with external IP 184.108.40.206 (BGP) and Site B (Sister) with external IP 220.127.116.11 for the Primary ISP and 18.104.22.168 for the Secondary ISP. As we stated the VPN works great when the sister site is on the primary ISP with external IP 22.214.171.124. But, when that ISP goes down and moves to the secondary the advertised external IP goes to 126.96.36.199. To have the VPN come up automatically when things move over to the secondary ISP run the following commands on the ASA sitting in Site A (HQ).
crypto map <usethevpnmapname> <usethevpnmapseqnumber> set peer 188.8.131.52 184.108.40.206
tunnel-group 220.127.116.11 type ipsec-l2l
tunnel-group 18.104.22.168 ipsec-attributes
That’s all it takes! The next time the sister site fails over to the backup ISP the S2S VPN will come up within a minute or two.
-Justin Vashisht (3cVguy)