topic Re: Terminate RA VPN clients on 2nd Intfc from different ISP? in Network Security

Terminate RA VPN clients on 2nd Intfc from different ISP?

craig — Mon, 11 Mar 2019 18:29:07 GMT

Our ASA 5520 was used to terminate VPN clients only. Today I terminated a 2nd ISP connection on another interface and made that the default interface on the firewall.

As soon as I did that, VPN connections no longer connected to the original interface, I'm assuming because the response packets are now exiting via the new default interface. I had thought that the reverse-route command would take care of this issue but it doesn't apear to be doing the trick.

Is this dual-ISP configuration possible? How to get the ASA to respond to VPN connection attempts on the non-default interface?

Thanks in advance for any suggestions!

Re: Terminate RA VPN clients on 2nd Intfc from different ISP?

athukral — Sun, 22 Aug 2010 15:26:54 GMT

Hello,

Hope you must be doing good!

Well yes scenrio is possible, could you please attach the configuration and i will suggest you the work around accordingly..

Thanks

Ankur

Re: Terminate RA VPN clients on 2nd Intfc from different ISP?

craig — Sun, 22 Aug 2010 15:46:13 GMT

Thanks.

Hopefully the attached config gives enough information. Interface Outside2 is the one I added and set as the default route. It worked fine but the VPN client connections on Outside then stopped negotiating. As you can see, I've set 'Outside' back to default for the time being and generic web traffic is using another firewall for the time being.

Re: Terminate RA VPN clients on 2nd Intfc from different ISP?

Nagaraja Thanthry — Sun, 22 Aug 2010 15:55:37 GMT

Hello,

Can you please try this command on the firewall:

route outside2 192.168.252.0 255.255.255.0

Hope this helps.

Regards,

Re: Terminate RA VPN clients on 2nd Intfc from different ISP?

Nagaraja Thanthry — Sun, 22 Aug 2010 15:57:07 GMT

Hello,

Also, you might want to remove the RRI configuration as that will install

host routes. And when the router looks up the host routes, the next hop will

be visible via the default route.

Regards,

Re: Terminate RA VPN clients on 2nd Intfc from different ISP?

craig — Sun, 22 Aug 2010 16:14:47 GMT

Thankyou for the suggestion.

I did add the route but I'm afraid we're failing during the initial ISAKMP negotiation before the 192.168.252.x address is even applied. The firewall log simply shows 'duplicate Phase 1 packet detected' which probably means that ASA's ISAKMP response is going out the new default interface (outside2) and the remote system is not accepting it.

'Outside' is the interface the VPN traffic comes in on and 'Outside2' is the new general route to the internet. The config I sent you reflects my change back to the original route to allow VPN users to connect. Sorry for the confusion.