04-24-2007 08:44 PM - edited 03-11-2019 03:03 AM
Hello!
We are using Cisco871 at branches and ASA5520 in router mode at central office. VPN3000 used to terminate IPSEC connections. I trying to implement backup links with OSPF and 'crypto map local-address' feature. Config at Cisco 871 looks like this:
--------
interface Loopback1
ip address 172.16.255.10 255.255.255.255
crypto map VPN local-address Loopback1
crypto map VPN 10 ipsec-isakmp
set peer 10.1.5.1
set transform-set TRANSFORM_SET
match address VPN_TRIGGER
interface FastEthernet1
description MAIN LINK
ip address 172.16.1.10 255.255.255.0
crypto map VPN
interface FastEthernet2
description BACKUP LINK
ip address 172.16.2.10 255.255.255.0
crypto map VPN
router ospf 1
log-adjacency-changes
redistribute connected subnets
network 172.16.1.0 0.0.0.255 area 1.1.1.1
network 172.16.2.0 0.0.0.255 area 2.2.2.2
--------
172.16.255.10 configured as peer adress for tunnel on VPN3000.
IPSEC tunnel works fine; 172.16.255.10 is accessible.
ciscoasa# sh route | b 172.16.255
O E2 172.16.255.10 255.255.255.255
[110/20] via 172.16.160.10, 0:04:26, link1
ciscoasa# sh conn detail | i 172.16.255.10
ESP dmz:10.1.5.1/41767 link1:172.16.255.10/56656
ESP dmz:10.1.5.1/4405 link1:172.16.255.10/38401
UDP dmz:10.1.5.1/500 link1:172.16.255.10/500 flags -
Lets shutdown one active link:
ciscoasa# sh route | b 172.16.255
O E2 172.16.255.10 255.255.255.255
[110/20] via 172.16.0.27, 0:00:15, link2
ciscoasa# sh conn detail | i 172.16.255.10
UDP dmz:10.1.5.1/500 link1:172.16.255.10/500 flags -
172.16.255.10 now accessible via 'link2' interface, but UPD/500 connections is still bound to 'link1' interface..
Is it bug or feature? I suppose its feature. Is it possible to turn off that 'bind connection to interface' feature?
Maybe there are better solutions about backup links? For example, should I use some ISR to terminate OSPF on it (then 172.16.255.10 won't jump from one interface to another). Or, maybe, I should use two different IPSEC tunnels and run routing protocol inside them?
04-30-2007 11:28 AM
Check the ASA configuration especially VPN related config.
05-01-2007 08:30 PM
ASA isn't involved directly into VPN, its used as router and (statefull) firewall here. Problem is in the firewall states and dynamic routing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide