https://community.cisco.com/t5/network-security/routing-issue-over-vpn-ipsec-2-peers/m-p/4062934#M1069050 <P>Hi,</P><P>&nbsp;</P><P>&nbsp; &nbsp;As i previously said, you need to configure your side as "originate-only", so you can configure the two peers and have fallback between the two peers. Yes, correct, you need to initiate the fallback, that's why i said you need to have isakmp keepalives on at the tunnel-group level, so that while your primary tunnel is active and there is a failure in the path, you detect that and try to bring up the tunnel with the second peer.</P><P>&nbsp;</P><P>Regards,</P><P>Cristian Matei.</P> Thu, 09 Apr 2020 17:05:16 GMT Cristian Matei 2020-04-09T17:05:16Z https://community.cisco.com/t5/network-security/routing-issue-over-vpn-ipsec-2-peers/m-p/4048413#M1067926 <P>Hy guys I have the following scenario and problem</P><P>&nbsp;</P><P>ASA 5516-X</P><P>Cisco Adaptive Security Appliance Software Version 9.6(1) &lt;context&gt;<BR />Device Manager Version 7.6(1)</P><P>&nbsp;</P><P><U><STRONG>Escenario:</STRONG></U></P><P>I have a connection with one of our clients through VPN L2L with 2 different IPs, the idea is to have an active / backup scenario, As you probably know the idea is if the Active Peer have any problem our client is able to switch to the Backup Peer</P><UL><LI>Active Peer 100.100.100.1</LI><LI>Backup Peer 200.200.200.1</LI></UL><P>For Phase 1: both peers are UP</P><P>For Phase 2: Only Active Peer is UP</P><P>&nbsp;</P><P><U><STRONG>Phase 1 Status:</STRONG></U></P><H6>1 IKE Peer: 100.100.100.1<BR />Type : L2L Role : responder<BR />Rekey : no State : MM_ACTIVE</H6><H6>2 IKE Peer: 200.200.200.1<BR />Type : L2L Role : responder<BR />Rekey : no State : MM_ACTIVE</H6><P><U><STRONG>Phase 2 Status:</STRONG></U></P><H6>ASA-MDC-US-1/FW-QUALITA-US# show crypto ipsec sa peer 100.100.100.1 | inc #pkts</H6><H6>#pkts encaps: 2882, #pkts encrypt: 2882, #pkts digest: 2882<BR />#pkts decaps: 2870, #pkts decrypt: 2870, #pkts verify: 2870<BR />#pkts compressed: 0, #pkts decompressed: 0<BR />#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0<BR />#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0</H6><H6>ASA# show crypto ipsec sa peer 200.200.200.1</H6><H6>There are no ipsec sas for peer 200.200.200.1</H6><P>&nbsp;</P><P><U><STRONG>Problem:</STRONG></U></P><P><SPAN class="tlid-translation translation"><SPAN class="">When the Active Peer has problems, the client tries to switch to the Backup Peer (200.200.200.1) and phase 2 does not comes UP, it continues to send traffic to the Active Peer (100.100.100.1) even when we clear the tunnel</SPAN></SPAN></P><P>I cheked my VPN and route configuration and seems fine, unless Im missing something</P><P>&nbsp;</P><P><U><STRONG>VPN Configuracion for Phase 2:</STRONG></U></P><H6>crypto map INET_map2 2 match address INET_cryptomap_1<BR />crypto map INET_map2 2 set peer 100.100.100.1 200.200.200.1<BR />crypto map INET_map2 2 set ikev1 transform-set ESP-3DES-SHA<BR />crypto map INET_map2 2 set security-association lifetime seconds 3600<BR />crypto map INET_map2 2 set security-association lifetime kilobytes unlimited</H6><H6><FONT color="#0000FF">I understand that the first IP should be the primary or active IP and the other the secondary, so I understand that it will prefer the 100.100.100.1 unless the client stop send traffic to that IP and starts sending traffic to the second IP "200.200.200.1"</FONT></H6><P>&nbsp;</P><P><U><STRONG>Routing Configuracion:</STRONG></U></P><H6>route INET 0.0.0.0 0.0.0.0 192.168.1.1 1<BR />route INET 100.100.100.1 255.255.255.255 192.168.1.1 5<BR />route INET 200.200.200.1 255.255.255.255 192.168.1.1 10</H6><H6><FONT color="#0000FF"><SPAN class="tlid-translation translation"><SPAN class="">For routing, we put the preferred peer to have a preferred route with better metric than the secondary peer</SPAN></SPAN></FONT></H6><P>&nbsp;</P><P>On the other side the client has two interfaces:</P><UL><LI>Interface a: 100.100.100.1</LI><LI>Interface b: 200.200.200.1</LI></UL><P>Normally its send all the traffic through Interface a.</P><P>The mecanism to execute the switchover its to send all the traffic through interface b</P><P>Regarding VPN configuracion they use the same mechanism as me</P><P>&nbsp;</P><P>Thanks for all the support you can give me</P><P>Regards</P> Thu, 19 Mar 2020 00:15:02 GMT https://community.cisco.com/t5/network-security/routing-issue-over-vpn-ipsec-2-peers/m-p/4048413#M1067926 fabio Baruzzi 2020-03-19T00:15:02Z https://community.cisco.com/t5/network-security/routing-issue-over-vpn-ipsec-2-peers/m-p/4048821#M1067951 <P>Hi,</P><P>&nbsp;</P><P>&nbsp; &nbsp;Is the other side an ASA as well? Configure your side as "originate-only" and the remote side as "answer-only"; note that this is a per VPN tunnel connection, not globally per crypto-map, so it doesn't affect other tunnels build off the same crypto-map:</P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>crypto map INET_map2 2 set&nbsp;connection-type originate-only&nbsp;<STRONG>on your side</STRONG></SPAN></P><P><SPAN>crypto map XXX Y set&nbsp;connection-type answer-only&nbsp;<STRONG>on remote side</STRONG></SPAN></P><P>&nbsp;</P><P>Regards,</P><P>Cristian Matei.</P> Thu, 19 Mar 2020 17:15:00 GMT https://community.cisco.com/t5/network-security/routing-issue-over-vpn-ipsec-2-peers/m-p/4048821#M1067951 Cristian Matei 2020-03-19T17:15:00Z https://community.cisco.com/t5/network-security/routing-issue-over-vpn-ipsec-2-peers/m-p/4062473#M1069024 <P>&nbsp;</P><P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/295226">@Cristian Matei</a>&nbsp;<SPAN class="UserName lia-user-name lia-user-rank-Collaborator lia-component-message-view-widget-author-username">thanks for the reply</SPAN></P><P>&nbsp;</P><P><SPAN class="UserName lia-user-name lia-user-rank-Collaborator lia-component-message-view-widget-author-username">I was testing this solution and the problem is that two peer <SPAN class="tlid-translation translation"><SPAN class="">cannot coexist</SPAN></SPAN> on the same VPN configuration and I need it for redundancy, below I show you the output</SPAN></P><H6>ASA-(config)# crypto map INET_map2 10 set connection-type answer-only<BR />WARNING: This will remove all but the first peer from the list<BR />ASA-(config)#<BR />ASA-(config)# crypto map INET_map2 10 set peer 107.21.150.22<BR />ERROR: Multiple Peers cannot be specified with answer-only connections<BR />ASA-US(config)#</H6><P>Another thing we see very strange is that when, for some reason, the VPN goes down, only my side is able to send traffic and open the tunnel, the other side can't.</P><P><BR />Finally answering your previous question, the other side of the tunnel is Amazon Web Services (AWS)</P><P>&nbsp;</P><P>Regards</P> Thu, 09 Apr 2020 07:39:34 GMT https://community.cisco.com/t5/network-security/routing-issue-over-vpn-ipsec-2-peers/m-p/4062473#M1069024 fabio Baruzzi 2020-04-09T07:39:34Z https://community.cisco.com/t5/network-security/routing-issue-over-vpn-ipsec-2-peers/m-p/4062934#M1069050 <P>Hi,</P><P>&nbsp;</P><P>&nbsp; &nbsp;As i previously said, you need to configure your side as "originate-only", so you can configure the two peers and have fallback between the two peers. Yes, correct, you need to initiate the fallback, that's why i said you need to have isakmp keepalives on at the tunnel-group level, so that while your primary tunnel is active and there is a failure in the path, you detect that and try to bring up the tunnel with the second peer.</P><P>&nbsp;</P><P>Regards,</P><P>Cristian Matei.</P> Thu, 09 Apr 2020 17:05:16 GMT https://community.cisco.com/t5/network-security/routing-issue-over-vpn-ipsec-2-peers/m-p/4062934#M1069050 Cristian Matei 2020-04-09T17:05:16Z https://community.cisco.com/t5/network-security/routing-issue-over-vpn-ipsec-2-peers/m-p/4067251#M1069240 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/295226">@Cristian Matei</a> thanks again for yor reply, I just want to comment that in the comunication behaivior im not really the one that originate the traffic&nbsp; im the receiver, once mentioning this, your proposol still applies?</P><P>Regarding the keepalive I already have them configured on the both tunnel groups, bellow I show you the configuration of both peers at this moment</P><P>&nbsp;</P><PRE>tunnel-group 100.100.100.1 type ipsec-l2l<BR />tunnel-group 100.100.100.1 general-attributes<BR />default-group-policy GroupPolicy_TunnelA<BR />tunnel-group 100.100.100.1 ipsec-attributes<BR />ikev1 pre-shared-key *****<BR />isakmp keepalive threshold 10 retry 10<BR />!<BR />tunnel-group 200.200.200.1 type ipsec-l2l<BR />tunnel-group 200.200.200.1 general-attributes<BR />default-group-policy GroupPolicy_TunnelB<BR />tunnel-group 200.200.200.1 ipsec-attributes<BR />ikev1 pre-shared-key *****<BR />isakmp keepalive threshold 10 retry 10<BR />!<BR />crypto map INET_map2 10 match address INET_cryptomap_10<BR />crypto map INET_map2 10 set pfs <BR />crypto map INET_map2 10 set peer 100.100.100.1 200.200.200.1 <BR />crypto map INET_map2 10 set ikev1 transform-set ESP-AES-256-SHA<BR />crypto map INET_map2 10 set security-association lifetime seconds 3600<BR />crypto map INET_map2 10 set security-association lifetime kilobytes unlimited<BR />!</PRE><P>&nbsp;</P><P>In this sense can you guide me wuth an example workaround that I can apply in my current scenario?</P><P>&nbsp;</P><P>Thanks again</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P> Thu, 16 Apr 2020 14:34:26 GMT https://community.cisco.com/t5/network-security/routing-issue-over-vpn-ipsec-2-peers/m-p/4067251#M1069240 fabio Baruzzi 2020-04-16T14:34:26Z