03-18-2020 05:15 PM
Hy guys I have the following scenario and problem
ASA 5516-X
Cisco Adaptive Security Appliance Software Version 9.6(1) <context>
Device Manager Version 7.6(1)
Escenario:
I have a connection with one of our clients through VPN L2L with 2 different IPs, the idea is to have an active / backup scenario, As you probably know the idea is if the Active Peer have any problem our client is able to switch to the Backup Peer
For Phase 1: both peers are UP
For Phase 2: Only Active Peer is UP
Phase 1 Status:
Phase 2 Status:
Problem:
When the Active Peer has problems, the client tries to switch to the Backup Peer (200.200.200.1) and phase 2 does not comes UP, it continues to send traffic to the Active Peer (100.100.100.1) even when we clear the tunnel
I cheked my VPN and route configuration and seems fine, unless Im missing something
VPN Configuracion for Phase 2:
Routing Configuracion:
On the other side the client has two interfaces:
Normally its send all the traffic through Interface a.
The mecanism to execute the switchover its to send all the traffic through interface b
Regarding VPN configuracion they use the same mechanism as me
Thanks for all the support you can give me
Regards
03-19-2020 10:15 AM
Hi,
Is the other side an ASA as well? Configure your side as "originate-only" and the remote side as "answer-only"; note that this is a per VPN tunnel connection, not globally per crypto-map, so it doesn't affect other tunnels build off the same crypto-map:
crypto map INET_map2 2 set connection-type originate-only on your side
crypto map XXX Y set connection-type answer-only on remote side
Regards,
Cristian Matei.
04-09-2020 12:39 AM
Hi @Cristian Matei thanks for the reply
I was testing this solution and the problem is that two peer cannot coexist on the same VPN configuration and I need it for redundancy, below I show you the output
Another thing we see very strange is that when, for some reason, the VPN goes down, only my side is able to send traffic and open the tunnel, the other side can't.
Finally answering your previous question, the other side of the tunnel is Amazon Web Services (AWS)
Regards
04-09-2020 10:05 AM
Hi,
As i previously said, you need to configure your side as "originate-only", so you can configure the two peers and have fallback between the two peers. Yes, correct, you need to initiate the fallback, that's why i said you need to have isakmp keepalives on at the tunnel-group level, so that while your primary tunnel is active and there is a failure in the path, you detect that and try to bring up the tunnel with the second peer.
Regards,
Cristian Matei.
04-16-2020 07:34 AM
Hi @Cristian Matei thanks again for yor reply, I just want to comment that in the comunication behaivior im not really the one that originate the traffic im the receiver, once mentioning this, your proposol still applies?
Regarding the keepalive I already have them configured on the both tunnel groups, bellow I show you the configuration of both peers at this moment
tunnel-group 100.100.100.1 type ipsec-l2l
tunnel-group 100.100.100.1 general-attributes
default-group-policy GroupPolicy_TunnelA
tunnel-group 100.100.100.1 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10
!
tunnel-group 200.200.200.1 type ipsec-l2l
tunnel-group 200.200.200.1 general-attributes
default-group-policy GroupPolicy_TunnelB
tunnel-group 200.200.200.1 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10
!
crypto map INET_map2 10 match address INET_cryptomap_10
crypto map INET_map2 10 set pfs
crypto map INET_map2 10 set peer 100.100.100.1 200.200.200.1
crypto map INET_map2 10 set ikev1 transform-set ESP-AES-256-SHA
crypto map INET_map2 10 set security-association lifetime seconds 3600
crypto map INET_map2 10 set security-association lifetime kilobytes unlimited
!
In this sense can you guide me wuth an example workaround that I can apply in my current scenario?
Thanks again
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide