04-17-2008 11:44 AM - edited 03-11-2019 05:33 AM
hi everyone,
I have a urgent problem on customer side with a asa5505 sec plus and two internet links.
I have configured following...
interface Vlan1
nameif inside
security-level 100
ip address 10.5.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.81.X.X 255.255.255.240
!
interface Vlan3
nameif dualisp
security-level 0
ip address 67.44.X.X 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
route outside 0.0.0.0 0.0.0.0 64.81.X.X 1 track 1
route dualisp 0.0.0.0 0.0.0.0 67.44.X.X 254
sla monitor 123
type echo protocol ipIcmpEcho 195.58.X.X interface outside
num-packets 2
frequency 5
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set DOCO esp-3des esp-md5-hmac
crypto map nfdocodmg0101-map 10 match address vpn-dmg
crypto map nfdocodmg0101-map 10 set peer 195.58.x.x
crypto map nfdocodmg0101-map 10 set transform-set DOCO
crypto map nfdocodmg0101-map interface outside
crypto map nfdocodmg0101-map-disp 10 match address vpn-dmg-dualisp
crypto map nfdocodmg0101-map-disp 10 set peer 195.58.x.x
crypto map nfdocodmg0101-map-disp 10 set transform-set DOCO
crypto map nfdocodmg0101-map-disp interface dualisp
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable dualisp
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
!
track 1 rtr 123 reachability
tunnel-group 195.58.x.x type ipsec-l2l
tunnel-group 195.58.x.x ipsec-attributes
pre-shared-key *
isakmp keepalive disable
If I disconnect the outside link, the backup link comes up and the vpn connection will be established. If I connect the outside link again than the switchover to the outside link doesn't work...
Any ideas why?? Some software bugs or did I have an mistake in my config?
Thanks for any help
Rene
04-17-2008 11:49 AM
"If I connect the outside link again than the switchover to the outside link doesn't work..."
-Could you clarify? The track doesn't come back up or the vpn doesn't fail back?
04-17-2008 11:52 AM
the track doesn't come back up !!
04-17-2008 12:04 PM
Is the address you are tracking also the peer address of your vpn tunnels? Have you tried tracking another ip address?
04-17-2008 12:05 PM
yes I have tried another ip address, same result, I have also tried different software versions :(
04-17-2008 12:13 PM
What does "show track" say after you plug in the outside interface?
I would create a specific route to the tracked ip...4.2.2.2 for example.
route outside 4.2.2.2 255.255.255.255
Then when you plug the outside interface back in, try to ping it from an inside client on the network.
05-28-2008 12:08 PM
This is a known problem with none but an ugly solution. There is no "preempt" or active peer detection for ISAKMP, even though it should prefer the first peer when both become active again. If you look at the IPSEC SAs, you'll see it thinks it is sending traffic, so Dead Peer Detection doesn't help. If you clear ISAKMP sa, it will correctly elect the outside peer crypto map.
It's not IP related -- your route is correctly returning, however IKE doesn't care, it's IP connectivity is still fine on the backup, so everything breaks.
Conditionally Null route the inside address of the ASA from the outside router if the outside serial address is reachable.
You could probably do it on the ASA itself with "route dualisp 67.44.X.Y 255.255.255.255 null0 track 1".
05-28-2008 12:15 PM
Ok,
try using the default gateway ip address of your main isp link as the monitored ip address under sla monitor--> should work.
Regards,
Sushil
Cisco TAC
12-07-2008 03:18 AM
Hi,
I agree with you on this problem.
Not sure if you did find a resulation. I had this problem and the resularuon is simple.
security-association lifetime seconds 28800
this is a default value for 8 hours.
The min is 120.
Set is ab below :
crypto map outside_map 100 set security-association lifetime seconds 120
crypto map backup_map 100 set security-association lifetime seconds 120
and check how it works :)
hope this helps,
regards,
pravin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide