Those without the luxury of having BGP enabled on your circuits can’t take advantage of keeping the same externally advertised IP while failing over between ISP’s. I had a client with two sites where HQ had BGP but a sister site did not. So, when the sister site’s primary ISP went down so would the Site-to-Site VPN to the HQ. Fortunately, Cisco has made it super easy for those using the ASA operating system as the termination point instead of a Router to automatically activate a “backup” VPN.
So, we have Site A (HQ) with external IP 220.127.116.11 (BGP) and Site B (Sister) with external IP 18.104.22.168 for the Primary ISP and 22.214.171.124 for the Secondary ISP. As we stated the VPN works great when the sister site is on the primary ISP with external IP 126.96.36.199. But, when that ISP goes down and moves to the secondary the advertised external IP goes to 188.8.131.52. To have the VPN come up automatically when things move over to the secondary ISP run the following commands on the ASA sitting in Site A (HQ).
crypto map <usethevpnmapname> <usethevpnmapseqnumber> set peer 184.108.40.206 220.127.116.11
tunnel-group 18.104.22.168 type ipsec-l2l
tunnel-group 22.214.171.124 ipsec-attributes
That’s all it takes! The next time the sister site fails over to the backup ISP the S2S VPN will come up within a minute or two.
-Justin Vashisht (3cVguy)