Meraki -> ASA VPN with Failover

New here

Meraki -> ASA VPN with Failover

We have a virtual Meraki MX device in an AWS VPC, connecting back to our primary office's ASA over an IPSec tunnel.

Our office has a backup fibre line for instances where our primary line goes down, and as such the ASA has two public facing IP addresses. I can't seem to see a way to configure a backup IP address for the ASA end of the tunnel in the Meraki interface to enable this tunnel to failover automatically, and I can't simply set up two tunnels because they'll both be routing the same /16 subnet.

Is it possible to configure a failover situation like this so that when our primary line goes down the tunnel will switchover to the failover peer address?

3 Replies 3
Kind of a big deal
Kind of a big deal

I can't think of a way you could make this work.  This is also a very unusual configuration.  You normally use a vMX with a physical on-premise MX.


I would strongly suggest you consider getting an on premise MX to terminate the VPN, even if you keep the ASA.

This is an old thread, but I'm now running into the same issue.  I disagree with the statement this is an unusual configuration since it has been a standard configuration in other Cisco firewalls for as long as I can remember.  In an ASA as an example, you simply configure your phase 2 with something like the following:

crypto map outside-vpn-map 999 set peer 

This really is an important feature for the Meraki if it is going to be a viable replacement for other firewall products.  We use a tunnel like this to route traffic through a DLP vendor and since the Meraki firewall replacement, there is now no fault tolerance in the VPN tunnel on the vendor side.


This kind of thing and lack of support for IKEv2 in the VPN tunnels is really disappointing for anyone trying to move to Meraki from other more traditional firewall and networking gear.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.