Those without the luxury of having BGP enabled on your circuits can’t take advantage of keeping the same externally advertised IP while failing over between ISP’s. I had a client with two sites where HQ had BGP but a sister site did not. So, when the sister site’s primary ISP went down so would the Site-to-Site VPN to the HQ. Fortunately, Cisco has made it super easy for those using the ASA operating system as the termination point instead of a Router to automatically activate a “backup” VPN.
So, we have Site A (HQ) with external IP 18.104.22.168 (BGP) and Site B (Sister) with external IP 22.214.171.124 for the Primary ISP and 126.96.36.199 for the Secondary ISP. As we stated the VPN works great when the sister site is on the primary ISP with external IP 188.8.131.52. But, when that ISP goes down and moves to the secondary the advertised external IP goes to 184.108.40.206. To have the VPN come up automatically when things move over to the secondary ISP run the following commands on the ASA sitting in Site A (HQ).
crypto map <usethevpnmapname> <usethevpnmapseqnumber> set peer 220.127.116.11 18.104.22.168
tunnel-group 22.214.171.124 type ipsec-l2l
tunnel-group 126.96.36.199 ipsec-attributes
That’s all it takes! The next time the sister site fails over to the backup ISP the S2S VPN will come up within a minute or two.
-Justin Vashisht (3cVguy)