Yes, what you suggest would work just fine, assuming that you have control over the existing default gateway/router for the subnet on each side. Variations on this same theme can be used to provide VPN backups to a primary connectivity method (MPLS, point-to-point T1/T3, etc.) using route tracking, static routes with a higher AD 'underneath' a dynamically learned route on the primary connection, etc.
When the ASA attempts to send traffic out an interface where a crypto map is applied, it will always process the crypto map from top-down, looking for the first match. Therefore, it will always match sequence 11, and never sequence 16. So the behavior you describe above is normal.
One correct way to do this would be to build GRE tunnels with routers, where you can run a dynamic routing protocol to determine the health of the paths. Then, you can wrap the GRE tunnels in IPSec for security. However, you said replacing the hardware is not an option. SDWAN is also another correct solution for this.
But, here's an idea for you, though. If the headquarters never initiates traffic to the remote site (or can withstand an outage when the primary tunnel goes down), you could set it up where the 897 performs NAT on the traffic when it leaves the cellular interface, so that it appears to the HQ that it's a different site. The ASA would then see this "new" site as attached to crypto map sequence 16, instead of 11. This would allow the remote site to maintain connectivity during an outage, but its source addresses would be translated. Then, when the primary internet comes back up, the 897 fails back to the primary path, to the primary tunnel, and to the primary address space. It's a bandaid, but it's an option.
Best Answer
General Logging
To log IPSec events, you will want to run the following commands:
Some of these commands will already be on your ASA as you're sending your buffered log to an FTP server. I won't include the FTP commands due to this. Then you will want to look for the specific codes you're interested in, in the log on the FTP server.
Example IPSec L2L disconnect message:
Emailed Notifications
First create your list of events you want to catch.
Catch All IPSec List
Specific Event List
Now setup the email settings.
Notes
All of the logging above is limited to notifications and higher level (i.e. level 5, 4, 3, 2 and 1). If you find a code of a lower level, you will need to replace
level notifications
withlevel informational
orlevel debugging
.The example event above (
ASA-4-113019
) islevel warnings
which you can see from theASA-4
prefix on the event.