You can use any one of these alternate backup peer mechanisms:

• DNS server (see Failover using DNS). This method uses the Branch Gateway’s DNS resolver capability for dynamically resolving a remote peer’s IP address via a DNS query.

  Use this feature when your DNS server supports failover through health-checking of redundant hosts. On your DNS server, configure a hostname to translate to two or more redundant hosts, which act as redundant VPN peers. On the Branch Gateway, configure that hostname as your remote peer. The Branch Gateway will perform a DNS query in order to resolve the hostname to an IP address before establishing an IKE connection. Your DNS server should be able to provide an IP address of a living host. The Branch Gateway will perform a new DNS query and try to re-establish the VPN connection to the newly provided IP address whenever it senses that the currently active remote peer stops responding. The Branch Gateway can sense that a peer is dead when IKE negotiation times-out, through DPD keepalives, and through object tracking.

• Using the Branch Gateway’s peer-group entity (see Failover using a peer-group):

  • Define a peer-group. A peer-group is an ordered list of redundant remote peers, only one of which is active at any time. When the active peer is considered dead, the next peer in the list becomes the active remote peer.

  • When configuring a crypto map, point to the peer-group instead of to a single peer