Meraki

Community

Guide to VPN Failover With An MX to ASA?

Solved
steakandeggs
Here to help
‎Apr 27 2022 8:20 AM
‎Apr 27 2022 8:20 AM

Guide to VPN Failover With An MX to ASA?

Has anyone worked up a guide to configuring VPN failover from WAN 1 to WAN 2 where the other end is an ASA? On the MX the configuration should be trivial, but on the ASA side it might be a bit more involved. Haven't found anything here or in the Cisco Community on the topic that goes into specifics.

 

Also, does the MX support stateful failover for VPN traffic going to third party endpoints? For example, would TCP sessions and NAT translations be capable of being immediately reassigned to the VPN tunnel on WAN 2, without the need for the endpoints to restart whatever sessions they're running?

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 27 2022 1:48 PM
‎Apr 27 2022 1:48 PM

You can only do it using IKEv1.  Cisco removed the functionality for IKEv2.

 

All you do on the "set peer" line is add a second IP address - your WAN2 IP address.

https://community.cisco.com/t5/vpn/backup-peer-ip-configuration-on-site-to-site-vpn-between-asa/td-p... 

 

Thinking about it more, you could use IKEv2, but put the ASA into responder mode only (so it won't attempt to build the VPN), and authenticate based on an identify presented by IKEv2 on the MX.

 

Search for "remote id" in this article:

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings 

View solution in original post

1 Reply 1
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 27 2022 1:48 PM
‎Apr 27 2022 1:48 PM

You can only do it using IKEv1.  Cisco removed the functionality for IKEv2.

 

All you do on the "set peer" line is add a second IP address - your WAN2 IP address.

https://community.cisco.com/t5/vpn/backup-peer-ip-configuration-on-site-to-site-vpn-between-asa/td-p... 

 

Thinking about it more, you could use IKEv2, but put the ASA into responder mode only (so it won't attempt to build the VPN), and authenticate based on an identify presented by IKEv2 on the MX.

 

Search for "remote id" in this article:

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings 

Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.