I just configured my Cisco ASA 5505 to failover to a backup internet line when the main outside interface is down. This all works fine.
Also, I have a site-to-site IPSEC VPN tunnel from this ISP-redundant ASA to our ASA in the datacenter. The failover of the VPN to the backup ISP line also works great.
However, the VPN tunnel does not fail back to the main line when the main internetline gets back online.
So, I do this for testing:
- I disconnect the main line.
- Internet traffic and VPN tunnel is failedover to the backup line.
- I reconnect the main line.
- Internet traffic is failedback to the main line, but now 2 IPSEC tunnels to the datacenter exist. One over the main line, and one over de backup line.
How to configure my ASA in such way that the VPN fails back to the main line? I don't want it to use the backup line when everything is fine on the main line since the backup line is much slower.
I found some documentation on the Cisco website which tells me that I should be able to set a "preferred peer" in the properties of the crypto map, but is that for IOS (non-ASA) routers only?
