Hello,

Thanks for the information.

Now my picture might not show this but the asa will not be the last hop out to the WAN. After the Cisco ASA there will still be a router that will connect on the WAN.

This still means i can track the firewall in the Data Center? From what i understand my route out to the WAN must be a specified route, not like 0.0.0.0 0.0.0.0. Because when that route is down, Cisco ASA needs to know to take a second route which is over a VPN tunnel (across the local internet breakout).

Hello,

Yes, you can still track Data Center Firewall over WAN on cisco ASA, if, of cource, ICMP traffic is not restricted over WAN and the routers.

And, yes, your route to DC network should not be like 0.0.0.0 0.0.0.0. It should be like:

route outside_2 Y.Y.Y.0 255.255.255.0 X.X.X.X 1 track 101

Where Y.Y.Y.0 / 24 is the network in the Data Center. X.X.X.X in this case will be the IP-address of the nearest WAN-router.

There is one additional requirement. You need to add an extra route to DC Firewall IP-address to make SLA works.

route outside_2 A.A.A.A 255.255.255.0 X.X.X.X 1

Where A.A.A.A is the IP-address of DC Firewall and X.X.X.X is the IP-address of the nearest WAN-router.

So, in SLA configuration you need to use A.A.A.A ip-address in this case:

sla monitor 1
 type echo protocol ipIcmpEcho A.A.A.A interface outside_2
 num-packets 3
 timeout 7000
 frequency 10
sla monitor schedule 1 life forever start-time now

track 101 rtr 1 reachability

The additional route will then be over the local internet breakout? The first route will be over the WAN router.

Does the ASA in the DC need some special configuration? Because he is gonna see traffic from the WAN side, but when it fails-over it will see it from the local internet break out.

I suppose the VPN Tunnel can stay up when there are 2 routes in place, normally he will only take the second route to the VPN tunnel if the first is down.

No, the addritional route should be over WAN:

route outside_2 A.A.A.A 255.255.255.0 X.X.X.X 1

X.X.X.X - is the IP of WAN-Router.

The purpose of the additional route is to make SLA work always over WAN. In other words, we need to send ICMP requests to DC Firewall (A.A.A.A in our example) only over WAN channel.

The ASA in DC should have the same configuration. It should track the route over WAN and switch to Internet connection (IPsec tunnel) in case of failure.

Yes, you are right. The VPN Tunnel may stay up when there are 2 routes in place. 

But. As soon as you have ASA in Data Center I'll advice you to use dynamic routing protocol (EIGRP or OSPF or even BGP) intead of SLA and route tracking. It will make your logic more stable.

Ok,

Thanks for the help

I forgot to mention that the WAN will be a layer 2 domain, but that should change anything correct?

As long as the Firewall at the DC is reachable.

Hello, 

yes, it does not matter L2 or L3 the WAN link is. As long as Firewall at the DC is reachable, everything should work.

But I'd like to repeate one more time, I realy advice you to use dynamic routing protocol instead of IP SLA tracking. It will work much more stable.

For examlpe, you can use iBGP and configure iBGP peering over WAN link. Please, see the network diagram in the attach.

To configure iBGP on ASA in the office you can use the approximate code:

! Routing configuration
route outside_1 0.0.0.0 0.0.0.0 111.111.111.2 1
route outside_2 2.2.2.1 255.255.255.255 1.1.1.2 1
router bgp 200
 bgp log-neighbor-changes
 bgp bestpath compare-routerid
 address-family ipv4 unicast
  neighbor 2.2.2.1 remote-as 200
  network 192.168.1.0 mask 255.255.255.0
  no auto-summary
  no synchronization
 exit-address-family

! IPsec over Internet configuration
object network Inside_net
 subnet 192.168.1.0 255.255.255.0
object network DC_net
 subnet 10.0.0.0 255.255.255.0 
access-list acl-cryptomap extended permit ip object Inside_net object DC_net

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

nat (any,outside_1) source static Inside_net Inside_net destination static DC_net DC_net no-proxy-arp route-lookup
crypto map outside_1_map 1 match address acl-cryptomap
crypto map outside_1_map 1 set pfs 
crypto map outside_1_map 1 set peer 222.222.222.1 
crypto map outside_1_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_1_map interface outside_1
crypto ikev1 enable outside_1
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800

If the WAN link is Ok, the ASAs will form the iBGP peering. ASA in DC will receive the route to office's network over WAN link and ASA in office will receive the route to DC's network over WAN link too.

If the WAN link is down, iBGP peering is down too. So, both ASAs will NOT receive routes to remote networks. In that case they will use the default route to reach the remote network. The default route will direct traffic to interface outside_1. But on this interface we have crypto map configured, so the traffic will go to IPsec tunnel (as soon as it matches the crypto-acl acl-cryptomap).

When the WAN link is up again, ASAs will form iBGP peering again and receive the routes to remote networks over WAN link.

Thanks for this great information

Sadly the customer really wants a layer 2 WAN, and has no intrests it seems to run a routing protocol on the exit routers of the sites. I will try to stress this

Because what we can do is, run the routing protocol on the last router out to the WAN right? Or have the ASA itself route it

Will the Cisco ASA in the data center show any challenges if it sees traffic comming from the WAN and then when the fail over occurs it will see that traffic from another interface.

If we use iBGP we don't need to configure anything on border routers. BGP runs over TCP, so ASAs can form the adjancencies even if they are not in the same broadcast domain. Please see:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118050-config-bgp-00.html

In iBGP, there is no restriction that neighbors have to be connected directly. 

The ASA in DC should not show any changes in case of failover. Of cource, when failover occurs, the TCP-sessions between two places will be probably torn and have to restart.

If the information, which I have provided, is useful for you, please, rate my post.

Yes ofcourse

It doesn't actually matter if the Layer 2 WAN router isn't in our management, the iBGP peering is done by the Cisco ASA. 

Is it then this piece of config that does it ?:

bgp bestpath compare-routerid

So the BGP process will never select the VPN tunnel route if the WAN route is still up? How does he know? I haven't had much experience with iBGP so i'm quite interested :)

No, in fact in your case you don't event need to use this command (bgp bestpath compare-routerid). From configuration guide:

bgp bestpath compare-routerid

Compare between similar routes received from external BGP (eBGP) peers during the best path selection
process and switch the best path to the route with the lowest router ID:

So, this command is simply a common recommendation. 

Yes, BGP process will never select VPN tunnel, if WAN is up. That is so, because we don't have BGP peering over VPN tunnel. We have BGP peering only over WAN tunnel. If WAN link is UP and BGP peering is UP, ASA receive route to remote network. The route to remote network over WAN will be more specific than the default route, so ASA will choose this route (according to best match rule).

When WAN link and BGP peering is DOWN, the route to remote network over WAN will disappear from ASA's routing table. The only route, which will be in ASA's routing table (except directly connected networks) will be default route, which will route the traffic to outside_1 interface, where crypto map is configured.

If your question is "How BGP knows, that WAN link is DOWN", the answer is: BGP uses keepalive-messages to verify the availability of remote peer. The lack of receipt keepalive messages from remote peer within the negotiated HOLD timer causes BGP to bring down the neighbor connection.

Exactly the existance of keepalive messaages and HOLD timer makes BGP method more stable, than IP SLA and route tracking. That is because in case of SLA, the lack of single ICMP reply packet will cause to fall back to IPsec tunnel. You can probably get flapping routes on ASAs.

And one more thing. The BGP on ASA was added recently, the support of BGP is included beginning from 9.2.(1) software release:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/release/notes/asarn92.html#pgfId-791239

Hi Boris, 

We have the same problem, we want configure OSPF over WAN (MPLS L3) between remote office to HQ office. What step we need configure ? On ASA cannot create interface tunnel.

Please help me resolve this issue.

Thanks.