Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
234
Views
0
Helpful
1
Replies

IPSec VPN with Dual-ISP issue

fborelli07
Level 1
Level 1

‎07-14-2015 04:46 PM - edited ‎03-11-2019 11:16 PM

Hello community, how are you?

 

Here I am again, having some issues with a pair of ASA 5505 (Sec Plus).

This the scenario I have:

 

ASA-1 ---> Only 1 ISP and LAN interface.

 

ASA-2 ---> 2 ISP (main and secondary) and LAN interface.

 

There is a VPN to access from LAN to LAN. Dual ISP is configured and working on ASA-2. VPN redundancy as well.

 

The VPN failover is working fine, really fine! when I unplug the main ISP cable, secondary comes up and VPN works perfect. And when plug it back, main ISP comes up and VPN works perfect as well.

 

The issue is particularly one and it's related to IP telephony:

We are providing IP phones and PBX services. Client behind ASA-2 (LAN network) have many Polycom IP phones that use SIP (5060) to authenticate against a PBX behind ASA-1 (a third interface called PBX-Net) that has a static NAT to be reachable from internet directly.

So Polycom phones behind ASA-2, have configured the PBX server with a DNS (pointing to the public IP of the ASA-1 static NAT) like "sip123.my-pbx.com" through port UDP/5060.

 

The issue comes when Dual-ISP starts working. When I disconnect main ISP, secondary comes up perfectly users can access internet.. BUT... many phones do not reconnect to PBX server. Many other DO. Like 50-50 of the phones register against PBX server. Even tough they were rebooted many times.

Sometimes they keep DNS cached or routes as well so I rebooted them. But nothing.. those Polycom don't even try to reach the PBX server (checking the ASDM real-time I don't see any packet for PBX server).

I also tried "clear arp" and "clar xlate" on both ASA-1 and ASA-2, but nothing.. still not registering.

 

So.. tired of troubleshooting and finding nothing I got the ASA-2 rebooted.

Magically all the phones came up and I didn't have to reboot them. Is there anything I'm missing? I mean.. something else to clear besides ARP and NAT tables??

I don't explain myself why rebooting works.

 

If I test the PBX service separately with both ISP links it works fine. The issue happens when running the Dual-ISP. Also when plugging back the main ISP.

 

any suggestions??

 

Thank you people!


 

Labels:
0 Helpful
1 Reply 1

fborelli07
Level 1
Level 1

‎07-14-2015 05:02 PM

People,

Right after finishing the post, I saw that maybe the problem is the UDP timeout for connections.

It's related to command: "timeout floating-conn".

When multiple static routes exist to a network with different metrics, the ASA uses the one with the best metric at the time of connection creation. If a better route becomes available, then this timeout lets connections be closed so a connection can be reestablished to use the better route. The default is 0 (the connection never times out).

 

So I'm going to change it to 0:0:30 (30 seconds) and let you all know!!

 

Regards,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card