Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
2
Replies

ASA - IPSEC and OSPF issue

krasinform
Level 1
Level 1

‎04-24-2007 08:44 PM - edited ‎03-11-2019 03:03 AM

Hello!

We are using Cisco871 at branches and ASA5520 in router mode at central office. VPN3000 used to terminate IPSEC connections. I trying to implement backup links with OSPF and 'crypto map local-address' feature. Config at Cisco 871 looks like this:

--------

interface Loopback1

ip address 172.16.255.10 255.255.255.255

crypto map VPN local-address Loopback1

crypto map VPN 10 ipsec-isakmp

set peer 10.1.5.1

set transform-set TRANSFORM_SET

match address VPN_TRIGGER

interface FastEthernet1

description MAIN LINK

ip address 172.16.1.10 255.255.255.0

crypto map VPN

interface FastEthernet2

description BACKUP LINK

ip address 172.16.2.10 255.255.255.0

crypto map VPN

router ospf 1

log-adjacency-changes

redistribute connected subnets

network 172.16.1.0 0.0.0.255 area 1.1.1.1

network 172.16.2.0 0.0.0.255 area 2.2.2.2

--------

172.16.255.10 configured as peer adress for tunnel on VPN3000.

IPSEC tunnel works fine; 172.16.255.10 is accessible.

ciscoasa# sh route | b 172.16.255

O E2 172.16.255.10 255.255.255.255

[110/20] via 172.16.160.10, 0:04:26, link1

ciscoasa# sh conn detail | i 172.16.255.10

ESP dmz:10.1.5.1/41767 link1:172.16.255.10/56656

ESP dmz:10.1.5.1/4405 link1:172.16.255.10/38401

UDP dmz:10.1.5.1/500 link1:172.16.255.10/500 flags -

Lets shutdown one active link:

ciscoasa# sh route | b 172.16.255

O E2 172.16.255.10 255.255.255.255

[110/20] via 172.16.0.27, 0:00:15, link2

ciscoasa# sh conn detail | i 172.16.255.10

UDP dmz:10.1.5.1/500 link1:172.16.255.10/500 flags -

172.16.255.10 now accessible via 'link2' interface, but UPD/500 connections is still bound to 'link1' interface..

Is it bug or feature? I suppose its feature. Is it possible to turn off that 'bind connection to interface' feature?

Maybe there are better solutions about backup links? For example, should I use some ISR to terminate OSPF on it (then 172.16.255.10 won't jump from one interface to another). Or, maybe, I should use two different IPSEC tunnels and run routing protocol inside them?

Labels:
0 Helpful
2 Replies 2

mchin345
Level 6
Level 6

‎04-30-2007 11:28 AM

Check the ASA configuration especially VPN related config.

0 Helpful

krasinform
Level 1
Level 1
In response to mchin345

‎05-01-2007 08:30 PM

ASA isn't involved directly into VPN, its used as router and (statefull) firewall here. Problem is in the firewall states and dynamic routing.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card