https://community.cisco.com/t5/network-security/ipsec-vpn-with-dual-isp-issue/m-p/2720988#M193819 <P>Hello community, how are you?</P><P>&nbsp;</P><P>Here I am again, having some issues with a pair of ASA 5505 (Sec Plus).</P><P>This the scenario I have:</P><P>&nbsp;</P><P>ASA-1 ---&gt; Only 1 ISP and LAN interface.</P><P>&nbsp;</P><P>ASA-2 ---&gt; 2 ISP (main and secondary) and LAN interface.</P><P>&nbsp;</P><P>There is a VPN to access from LAN to LAN. Dual ISP is configured and working on ASA-2. VPN redundancy as well.</P><P>&nbsp;</P><P>The VPN failover is working fine, really fine! when I unplug the main ISP cable, secondary comes up and VPN works perfect. And when plug it back, main ISP comes up and VPN works perfect as well.</P><P>&nbsp;</P><P>The issue is particularly one and it's related to IP telephony:</P><P>We are providing IP phones and PBX services. Client behind ASA-2 (LAN network) have many Polycom IP phones that use SIP (5060) to authenticate against a PBX behind ASA-1 (a third interface called PBX-Net) that has a static NAT to be reachable from internet directly.</P><P>So Polycom phones behind ASA-2, have configured the PBX server with a DNS (pointing to the public IP of the ASA-1 static NAT) like "sip123.my-pbx.com" through port UDP/5060.</P><P>&nbsp;</P><P>The issue comes when Dual-ISP starts working. When I disconnect main ISP, secondary comes up perfectly users can access internet.. BUT... many phones do not reconnect to PBX server. Many other DO. Like 50-50 of the phones register against PBX server. Even tough they were rebooted many times.</P><P>Sometimes they keep DNS cached or routes as well so I rebooted them. But nothing.. those Polycom don't even try to reach the PBX server (checking the ASDM real-time I don't see any packet for PBX server).</P><P>I also tried "clear arp" and "clar xlate" on both ASA-1 and ASA-2, but nothing.. still not registering.</P><P>&nbsp;</P><P>So.. tired of troubleshooting and finding nothing I got the ASA-2 rebooted.</P><P>Magically all the phones came up and I didn't have to reboot them. Is there anything I'm missing? I mean.. something else to clear besides ARP and NAT tables??</P><P>I don't explain myself why rebooting works.</P><P>&nbsp;</P><P>If I test the PBX service separately with both ISP links it works fine. The issue happens when running the Dual-ISP. Also when plugging back the main ISP.</P><P>&nbsp;</P><P>any suggestions??</P><P>&nbsp;</P><P>Thank you people!</P><P><BR />&nbsp;</P> Tue, 12 Mar 2019 06:16:01 GMT fborelli07 2019-03-12T06:16:01Z https://community.cisco.com/t5/network-security/ipsec-vpn-with-dual-isp-issue/m-p/2720988#M193819 <P>Hello community, how are you?</P><P>&nbsp;</P><P>Here I am again, having some issues with a pair of ASA 5505 (Sec Plus).</P><P>This the scenario I have:</P><P>&nbsp;</P><P>ASA-1 ---&gt; Only 1 ISP and LAN interface.</P><P>&nbsp;</P><P>ASA-2 ---&gt; 2 ISP (main and secondary) and LAN interface.</P><P>&nbsp;</P><P>There is a VPN to access from LAN to LAN. Dual ISP is configured and working on ASA-2. VPN redundancy as well.</P><P>&nbsp;</P><P>The VPN failover is working fine, really fine! when I unplug the main ISP cable, secondary comes up and VPN works perfect. And when plug it back, main ISP comes up and VPN works perfect as well.</P><P>&nbsp;</P><P>The issue is particularly one and it's related to IP telephony:</P><P>We are providing IP phones and PBX services. Client behind ASA-2 (LAN network) have many Polycom IP phones that use SIP (5060) to authenticate against a PBX behind ASA-1 (a third interface called PBX-Net) that has a static NAT to be reachable from internet directly.</P><P>So Polycom phones behind ASA-2, have configured the PBX server with a DNS (pointing to the public IP of the ASA-1 static NAT) like "sip123.my-pbx.com" through port UDP/5060.</P><P>&nbsp;</P><P>The issue comes when Dual-ISP starts working. When I disconnect main ISP, secondary comes up perfectly users can access internet.. BUT... many phones do not reconnect to PBX server. Many other DO. Like 50-50 of the phones register against PBX server. Even tough they were rebooted many times.</P><P>Sometimes they keep DNS cached or routes as well so I rebooted them. But nothing.. those Polycom don't even try to reach the PBX server (checking the ASDM real-time I don't see any packet for PBX server).</P><P>I also tried "clear arp" and "clar xlate" on both ASA-1 and ASA-2, but nothing.. still not registering.</P><P>&nbsp;</P><P>So.. tired of troubleshooting and finding nothing I got the ASA-2 rebooted.</P><P>Magically all the phones came up and I didn't have to reboot them. Is there anything I'm missing? I mean.. something else to clear besides ARP and NAT tables??</P><P>I don't explain myself why rebooting works.</P><P>&nbsp;</P><P>If I test the PBX service separately with both ISP links it works fine. The issue happens when running the Dual-ISP. Also when plugging back the main ISP.</P><P>&nbsp;</P><P>any suggestions??</P><P>&nbsp;</P><P>Thank you people!</P><P><BR />&nbsp;</P> Tue, 12 Mar 2019 06:16:01 GMT https://community.cisco.com/t5/network-security/ipsec-vpn-with-dual-isp-issue/m-p/2720988#M193819 fborelli07 2019-03-12T06:16:01Z https://community.cisco.com/t5/network-security/ipsec-vpn-with-dual-isp-issue/m-p/2720989#M193820 <P>People,</P><P>Right after finishing the post, I saw that maybe the problem is the UDP timeout for connections.</P><P>It's related to command: "timeout floating-conn".</P><P>When multiple static routes exist to a network with different metrics, the ASA uses the one with the best metric at the time of connection creation. If a better route becomes available, then this timeout lets connections be closed so a connection can be reestablished to use the better route. The default is 0 (the connection never times out).</P><P>&nbsp;</P><P>So I'm going to change it to 0:0:30 (30 seconds) and let you all know!!</P><P>&nbsp;</P><P>Regards,</P> Wed, 15 Jul 2015 00:02:36 GMT https://community.cisco.com/t5/network-security/ipsec-vpn-with-dual-isp-issue/m-p/2720989#M193820 fborelli07 2015-07-15T00:02:36Z