Site to Site VPN with ASA and Sonicwall


Jul 17, 2001
could use some help with a set up im working on.


SiteB WAN IP-1: Y.Y.Y.Y
SiteB WAN IP-2: Z.Z.Z.Z

Site B is running a Sonicwall firewall with a primary and backup ISP link. Site A is running Cisco ASA 5520 with single WAN IP.

I am able to configure a working site-to-site vpn from SiteA to SiteB WAN IP-1 just fine. Its connects and its passing traffic just fine. I figured i could just add a second crypto map to SiteB WAN IP-2, just duplicating the configuration of the IP-1. If WAN IP-1 goes down, the ASA will bring up the VPN connection to WAN IP-2, but traffic is only one way, Site B to Site A only. The machines on SiteA side are able to receive and send, but the FW is not encrypting the traffic back, only decrypting.

here is a sample of the crypto maps:

access-list outside_3_cryptomap extended permit ip

access-list outside_4_cryptomap extended permit ip

crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer Y.Y.Y.Y
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 3 set security-association lifetime seconds 3600
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer Z.Z.Z.Z
crypto map outside_map 4 set transform-set ESP-3DES-SHA
crypto map outside_map 4 set security-association lifetime seconds 3600
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

Cant use backup-peer here since the other side is not a cisco device.

would this configuration even work as i think it should?
That's ghastly.

First problem you would have is that you have crypto maps that are designating the same interesting traffic at site A which is why you are having asymmetrical crypto problems. Traffic is coming in one tunnel and trying to go out the other or vice-versa.

You would probably have to do something with IP SLAs on the ASA which track the reachability of the remote site WAN IPs and use that to influence which tunnel to send the traffic down. Or something like NAT on the backup link so the far end knows which tunnel to send the return traffic to.

Quite honestly I've never seen anyone try that before with redundancy on only one side. I'd charge a lot of money to engineer a solution for something that wonky.
bump. any other thoughts or suggestions? been doing some research and i cant seem to find any other configuration that involves asa's. although, i can see this being accomplished using a cisco router. maybe the asa platform cant handle this.
Do you have smartnet? You can try to get them on the horn and see if they can help you. They may not be able to help you if the issue is on the sonicwall end.

Tac support is amazing though, give them a shout just to see
I had another idea involving GRE until I read the Sonicwall doesn't support it... Perhaps terminate a GRE tunnel on the other side of Sonicwall on another device and encrypt it with IPSEC?