And i see that the provider gave me a static IP address over DHCP with a 255.255.255.255 mask. I saw that on many DSL ports, ISP allways give mask 255.255.255.255.

Interface Vlan2 "OUT1", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        Description: *** BACKUP ***
        MAC address 0026.0be9.00e7, MTU 1492
        IP address 213.200.241.73, subnet mask 255.255.255.255

HI Patrick,

Getting /32 mask is usual in PPPoE scenario.

Subnet Mask Appears as /32

Problem

When you use the IP address x.x.x.x 255.255.255.240 pppoe setroute command, the IP address is assigned correctly, but the subnet mask appears as /32 although it is specified in the command as /28. Why does this happen?

Solution

This is the correct behavior. The the subnet mask is irrelevant in the case of the PPPoe interface; the ASA will always change it to /32.

Hope this clarifies.

Please do rate for the helpful posts and remember to select the correct answers.

Regards

Karthik

Okay, i upgraded to 9.03 and still the same issue.

Here is the config: (I changed in the earlier post all the IP addresses, these here are the real IP addresses.

-------------------------------------------------------------------------------------

ASA Version 9.0(3)
!
hostname ciscoasa
enable password ************* encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ************ encrypted
names
!
interface Ethernet0/0
 shutdown
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 switchport access vlan 2
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 description *** INSIDE ***
 nameif INS1
 security-level 100
 ip address 172.30.140.254 255.255.255.0
!
interface Vlan2
 description *** BACKUP ***
 no forward interface Vlan1
 nameif OUT1
 security-level 0
 pppoe client vpdn group pppoex
 ip address pppoe
!
interface Vlan3
 description *** OUTSIDE ***
 nameif OUT2
 security-level 0
 ip address 217.168.46.157 255.255.255.248
!
boot system disk0:/asa903-k8.bin
ftp mode passive
object network OBJ_INS1_NET_172_30_140
 subnet 172.30.140.0 255.255.255.0
object network 10.41.16.0_22
 subnet 10.41.16.0 255.255.252.0
 description Lab
object network OBJ_INS1_NET_ANY_NAT
 subnet 0.0.0.0 0.0.0.0
object network OBJ_INS1_NET_ANY_BACKUP
 subnet 0.0.0.0 0.0.0.0
access-list ACL_L2L_ECS_to_RAN extended permit ip object OBJ_INS1_NET_172_30_140 object 10.41.16.0_22
pager lines 24
mtu INS1 1500
mtu OUT1 1500
mtu OUT2 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (INS1,OUT2) source static OBJ_INS1_NET_172_30_140 OBJ_INS1_NET_172_30_140 destination static 10.41.16.0_22 10.41.16.0_22 no-proxy-arp route-lookup
nat (INS1,OUT1) source static OBJ_INS1_NET_172_30_140 OBJ_INS1_NET_172_30_140 destination static 10.41.16.0_22 10.41.16.0_22 no-proxy-arp route-lookup
!
object network OBJ_INS1_NET_ANY_NAT
 nat (INS1,OUT2) dynamic interface
object network OBJ_INS1_NET_ANY_BACKUP
 nat (INS1,OUT1) dynamic interface
route OUT2 217.192.12.162 255.255.255.255 217.168.46.153 1 track 1
route OUT1 0.0.0.0 0.0.0.0 213.3.242.151 1 track 2
route OUT2 0.0.0.0 0.0.0.0 217.168.46.153 254
route OUT1 217.192.12.162 255.255.255.255 213.3.242.151 254
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sla monitor 1
 type echo protocol ipIcmpEcho 217.168.46.153 interface OUT2
 num-packets 3
 frequency 10
sla monitor schedule 1 life forever start-time now
sla monitor 2
 type echo protocol ipIcmpEcho 213.3.242.151 interface OUT1
 num-packets 3
 frequency 15
sla monitor schedule 2 life forever start-time now
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map OUT1_MAP 100 match address ACL_L2L_ECS_to_RAN
crypto map OUT1_MAP 100 set pfs
crypto map OUT1_MAP 100 set peer 217.192.12.162
crypto map OUT1_MAP 100 set ikev1 transform-set ESP-3DES-SHA
crypto map OUT1_MAP interface OUT1
crypto map OUT1_MAP interface OUT2
crypto ca trustpool policy
crypto ikev1 enable OUT1
crypto ikev1 enable OUT2
crypto ikev1 policy 100
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
telnet timeout 5
ssh 172.30.140.0 255.255.255.0 INS1
ssh timeout 5
console timeout 0
management-access INS1
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname *******@************.ch
vpdn group pppoex ppp authentication chap
vpdn username *******@****** password *****

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password *********** encrypted
tunnel-group 217.192.12.162 type ipsec-l2l
tunnel-group 217.192.12.162 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

------------------------------------------------------------

sh route:

Gateway of last resort is 213.3.242.151 to network 0.0.0.0

C    172.30.140.0 255.255.255.0 is directly connected, INS1
S    217.192.12.162 255.255.255.255 [1/0] via 217.168.46.153, OUT2
C    217.168.46.152 255.255.255.248 is directly connected, OUT2
S*   0.0.0.0 0.0.0.0 [1/0] via 213.3.242.151, OUT1
------------------------------------------------------------------------------

Sh interface:

Interface Vlan2 "OUT1", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        Description: *** BACKUP ***
        MAC address 0026.0be9.00e7, MTU 1492
        IP address 213.200.241.73, subnet mask 255.255.255.255
  Traffic Statistics for "OUT1":
        2327 packets input, 429164 bytes
        1096 packets output, 142898 bytes
        62 packets dropped
      1 minute input rate 1 pkts/sec,  182 bytes/sec
      1 minute output rate 0 pkts/sec,  56 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 2 pkts/sec,  646 bytes/sec
      5 minute output rate 1 pkts/sec,  266 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Vlan3 "OUT2", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        Description: *** OUTSIDE ***
        MAC address 0026.0be9.00e7, MTU 1500
        IP address 217.168.46.157, subnet mask 255.255.255.248
  Traffic Statistics for "OUT2":
        742 packets input, 141847 bytes
        718 packets output, 58332 bytes
        2 packets dropped
      1 minute input rate 0 pkts/sec,  19 bytes/sec
      1 minute output rate 0 pkts/sec,  19 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  20 bytes/sec
      5 minute output rate 0 pkts/sec,  19 bytes/sec
      5 minute drop rate, 0 pkts/sec

Hi Patrick,

I do see the VPN configuration still shows out1 interface in priority and out2 as backup for the below configuration.

crypto map OUT1_MAP interface OUT1
crypto map OUT1_MAP interface OUT2
crypto ikev1 enable OUT1
crypto ikev1 enable OUT2

!

the above lines should be modified to have out2 in priority and out1 in backup. We can try with such configuration and figure it out.

Also on the other end it should reflect the same. peer should be configured with isp2 as priority and isp1 as backup.

Regards

Karthik

Hi Karthik.

I did that:

ciscoasa(config)# no crypto map OUT1_MAP interface OUT1
ciscoasa(config)# no crypto map OUT1_MAP interface OUT2
ciscoasa(config)# no crypto ikev1 enable OUT1
ciscoasa(config)# no crypto ikev1 enable OUT2
ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)# crypto map OUT1_MAP interface OUT2
ciscoasa(config)# crypto map OUT1_MAP interface OUT1
ciscoasa(config)# crypto ikev1 enable OUT2
ciscoasa(config)# crypto ikev1 enable OUT1

But anyway the ASA sorts like that:

crypto map OUT1_MAP interface OUT1
crypto map OUT1_MAP interface OUT2
crypto ikev1 enable OUT1
crypto ikev1 enable OUT2

And i did already an OS upgrade, i'm running now on ASA Version 9.0(3).

Do we hit a Bug here?

Best regards patrick

Hi Patrick,

Delete the crypto commands for pointing to interfaces...

ciscoasa(config)# no crypto map OUT1_MAP interface OUT1
ciscoasa(config)# no crypto map OUT1_MAP interface OUT2
ciscoasa(config)# no crypto ikev1 enable OUT1
ciscoasa(config)# no crypto ikev1 enable OUT2

Make sure on the other side make sure that peer address is mentioned for the isp2 in 1st and isp1 in 2nd.....

for this interface grouping issue.... i found the solution..,...

you can delete the configurations on interfaces connected to isp1 and isp2..

no interface vlan 2 & no interface vlan 3 & also on ethrnet interfaces remove switchport commands....

configure VLAN3 1st and then the VLAN2.... then map it to the physical interfaces in the same sequence... then you should not get the sequence suffeling.....

Please make sure all these things are taken care.....

for me i have done the same and am getting it in defined sequence.

ciscoasa(config)# sh runn | in crypto
crypto map test interface out2
crypto map test interface out1
crypto ikev1 enable out2
crypto ikev1 enable out1
crypto ikev1 policy 65535
ciscoasa(config)#

HTH

Rgerads

Karthik

Hi Patrick,

Could you please provide us the complete configuration of the ASA by editing your sensitive information?

What is the version of SW you are using in ASA now?

Let me try to find out any caveats with respect to the issue...

Regards

Karthik

Hi Patrick,

One last thing. Can you remove the VPN configurations/Static Routes/IP SLA which ever applicable on both the ends and put the ISP B related configuration 1st and then the ISP2.... then initiate the tunnel..... and try it out.... it should work as expected... Something like the below.... on bot the ends...

sla monitor 1
 type echo protocol ipIcmpEcho 211.11.11.9 interface OUT2
 num-packets 3
 frequency 10
sla monitor schedule 2 life forever start-time now
!
sla monitor 2
 type echo protocol ipIcmpEcho 212.12.12.12 interface OUT1
 num-packets 3
 frequency 15
sla monitor schedule 1 life forever start-time now
!
access-list ALC_VPN extended permit ip object OBJ_INS1_NET_192_168_1 object 10.41.16.0_22
!
nat (INS1,OUT2) source static OBJ_INS1_NET_192_168_1 OBJ_INS1_NET_192_168_1 destination static 10.41.16.0_22 10.41.16.0_22 no-proxy-arp route-lookup
nat (INS1,OUT1) source static OBJ_INS1_NET_192_168_1 OBJ_INS1_NET_192_168_1 destination static 10.41.16.0_22 10.41.16.0_22 no-proxy-arp route-lookup
!
crypto map OUT1_MAP 100 match address ALC_VPN
crypto map OUT1_MAP 100 set pfs
crypto map OUT1_MAP 100 set peer 33.33.33.33
crypto map OUT1_MAP 100 set ikev1 transform-set ESP-3DES-SHA
crypto map OUT1_MAP interface OUT2
crypto map OUT1_MAP interface OUT1
!
crypto ikev1 enable OUT2
crypto ikev1 enable OUT1
crypto ikev1 policy 100
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
tunnel-group 33.33.33.33 type ipsec-l2l
tunnel-group 33.33.33.33 ipsec-attributes
 ikev1 pre-shared-key *****
!
===========================================================================================

Same way on the other end
=========================
access-list outside_cryptomap_7 extended permit ip object 10.41.16.0_22 object OBJ_INS1_NET_192_168_1 (similar like this)
crypto map outside_map 7 match address outside_cryptomap_7
crypto map outside_map 7 set pfs
crypto map outside_map 7 set peer 211.11.11.11 212.12.12.14
crypto map outside_map 7 set connection-type bi-directional
crypto map outside_map 7 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 7 set reverse-route
!
crypto ikev1 policy 7
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
tunnel-group 211.11.11.11 type ipsec-l2l
tunnel-group 211.11.11.11 ipsec-attributes
 ikev1 pre-shared-key *****
!
tunnel-group 212.12.12.14 type ipsec-l2l
tunnel-group 212.12.12.14 ipsec-attributes
 ikev1 pre-shared-key *****
!

HTH

Regards

Karthik

Even after a reboot, the VPN don't go out the right Interface.

Also, I forgot to mention, that you need to make sure that the remote end has a crypto map that also points to your second interface.  If it doesn't then your VPN tunnel will not come up.

--

Please remember to select a correct answer and rate helpful posts

Hi Patrick,

I agree with Marius for break the VPN connection and try again. But i have a quick question here... does your VPN peer IP belongs to the ISP1 IP Stack???

I doubt in that way.... Not sure about that....

HTH

Regards

Karthik

Hi Karthik.

You asking about the other end VPN Peer ? The other end has a crypto config for both IP's ISP1 and ISP2.

Best regards Patrick

Hi,

This should be your complete planned configuration which looks okay for me.

route OUT1 0.0.0.0 0.0.0.0 212.12.12.12 1 track 1
route OUT1 33.33.33.33 255.255.255.255 212.12.12.12 254

route OUT2 33.33.33.33 255.255.255.255 211.11.11.9 1 track 2
route OUT2 0.0.0.0 0.0.0.0 211.11.11.9 254

sla monitor 1
 type echo protocol ipIcmpEcho 8.8.8.8 interface OUT1
 num-packets 3
 frequency 15
sla monitor schedule 1 life forever start-time now

sla monitor 2
 type echo protocol ipIcmpEcho 8.8.8.8 interface OUT2
 num-packets 3
 frequency 10
sla monitor schedule 2 life forever start-time now
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!

But my suggestion would be to keep the respective gateway ip in track rather than keeping public dns(8.8.8.8). And you can also minimize the frequency time to do a quick fallback  in case of outage.

HTH

Regards

Karthik