Re: Site to Site VPN with Primary and Backup ISP

Joshnathan · ‎07-30-2019

Hi

I am trying to configure a site to site VPN on a Cisco ASA 5525. The issue I am facing is when we failover to backup ISP we see the following log.

5 713041 IP = Peer Address, IKE Initiator: New Phase 1, Intf Inside, IKE Peer PeerAddress local Proxy Address x.x.x.x , remote Proxy Address x.x.x.x, Crypto map (Outside_map)

The local proxy is shown as the primary isp and its still using the associated cryptp map.

GRANT3779 · ‎07-30-2019

Hi,

Are you actually seeing any issues? That message looks normal during Phase 1 setup. If you lose your primary ISP then the VPN will need to be reestablished over the secondary ISP.

Joshnathan · ‎07-30-2019

Yes, the issue is the connection will not initiate.

If our primary ISP is 1.1.1.1 and our backup is 2.2.2.2

That message shows as below when we are on 2.2.2.2

5 713041 IP = Peer Address, IKE Initiator: New Phase 1, Intf Inside, IKE Peer PeerAddress local Proxy Address 1.1.1.1 , remote Proxy Address x.x.x.x, Crypto map (Outside_map)

GRANT3779 · ‎07-30-2019

We would need to see some config to fully understand the setup. How is routing handled when you failover? Do you have a floating default / object tracking?
Who controls the other end of the VPN? How is their end setup with regards to the possibility of your PEER address changing (which I am assuming) Do they have two peers configured?
Have a look here
https://networkology.net/2013/03/08/site-to-site-vpn-with-dual-isp-for-backup-redundancy/

Depending on your image version and what the other device is I would personally look at configuring vti route based vpns.