To my knowledge the ASA doesn't have the ability to automatically fail over IPSec site-to-site tunnels through a redundant ISP that's configured like the Cisco article you linked. Cisco does have a protocol called DMVPN (Dynamic multipoint VPN) which would allow this work, but thats not supported on the ASAs unfortunately.
Now for remote VPN client configuration it should be possible to have that work correctly when you've failed over to the backup link. If thats not working then can you please post your sanitized config?
How do you plan to accomplish DNS failover? Are you going to use a service which will detect that your primary ISP is down and then only hand out the backup IPs? For inbound SMTP an MX record with a primary and secondary can work fine, but for other services, this can be problematic.
One solution that can work is this
- Have your registrar point to DNS servers you administrate. One is configured on an IP assigned by ISP1, the other on ISP2.
- Have those IPs NATed on your firewall to go to 2 seperate DNS servers, these host your internet DNS records
- Configure your DNS entries on each server so that they hand out the IPs for the specific ISP they're related to. I.e. DNS server 1, NATed to ISP1 IP address, hands out IPs for inbound services that are allocated by ISP1. DNS server 2 hands out ISP2 IP numbers.
- The ISP2 DNS server will be non-accessible from the internet unless and until ISP1 fails and the ASA redirects the default gateway route, DNS server 2 then hands out IPs, but only for the IPs to be routed through ISP2, and thus through the backup connection.
Also I might point out that XroadsNetworks has a device can be configured behind your ASA and makes this setup alot easier. :)