cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1921
Views
0
Helpful
2
Replies

ASA - IP tracking for backup IPSEC VPN over Internet

Simon0754
Level 1
Level 1

Hello,

 

I am sending this message because I am in trouble to configure a backup IPSEC VPN over internet with one of my client. Indeed, we currently have a working VPN between my ASA firewall and my client Cisco router. In order to get redundancy, they are adding a second ISP on their site. So they have a prime public IP address and a backup public IP address.

I have created another VPN connection profile through the ASDM, but because the remote private network (10.10.10.x) is the same for the 2 connection profiles, it doesn't work (and I get a message explaining that protected traffic overlaps with an other connection profile when I perform the configuration).

So the Prime VPN works fine when no backup VPN configuration is present, and vice-versa the backup VPN works fine if I delete the Prime VPN conf in my ASA Firewalls.

 

In both cases, my gateway is the same (my ISP router) so I presume that I can't use IP tracking SLA (or I don't know how to use it).

My routing table is :

To reach my client private network (10.10.10.x) : INTERNET Interface, via router ISP gateway.

To reach my client public Prime IP address : INTERNET Interface, via router ISP gateway.

To reach my client public Backup IP address : INTERNET Interface, via router ISP gateway.

 

So my question is : how can I perform a configuration for automatic redundancy between the 2 ISP of my client?

I don't want to reconfigure my firewall if a problem occurred on their prime ISP. I need an automatic swap.

 

Thanks in advance.

Regards.

Simon.

2 Replies 2

parviz
Level 1
Level 1

Hi,

Add to ASA only second tunnel-group for ISP2 (keep first tunnel-group).

Change crypto map config from set peer to crypto map ipsec-l2l set peer ISP1 ISP2

Keep all other config, make only this changes.

 

On other side, run this commands:

ip sla 1

 icmp-echo ISP1 source-interface "to ISP1"

  frequency 5

!

ip sla schedule 1 start-time now life forever

!

track 1 ip sla 1 state

!

ip route 0.0.0.0 0.0.0.0 via ISP1-IP track 1

ip route 0.0.0.0 0.0.0.0 via ISP2-IP 10 (AD-10 is higher from first one, it`ll be backup)

Apply crypto-map to both interfaces: ISP1, ISP2

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

   

    You have 2 options for this to work:

        1. Stick with policy-based/crypto map IPsec tunnels. You just need to configure both of the remote side VPN IP addresses within the same statement: "crypto map XYZ 10 set peer ISP1 ISP2". For this to work, you also need to configure the ASA to run the IPsec tunnel in "originate-only" via "crypto map XYZ 10 set connection-type originate-only" , while the other side should run in "answer-only". This also means that only your side can trigger the tunnel failover. Ensure to have "isakmp keepalive" configured under your tunnel-group with the primary remote IP.

        2. Use route-based/VTI IPsec tunnels. This allows you to have both tunnels up and running at the same time, tunnels are self-triggered and always in the UP/UP state. To dynamically failover and prefer one tunnel over the other, you would run BGP over both VTI's and prefer one path. Ensure to have, likewise, "isakmp keepalive" configured, but this time for both tunnel-groups.

 

Regards,

Cristian Matei.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: