Re: BGP

fmugambi · ‎07-15-2024

Hello Team,

I have a setup as attached,

I recently added isp b for redudancy.

My vpns terminata at ftd level, on [66.0.10.10] - this is an example IP.

on asa have done an acl called outside_in allowing any to connect to 66.0.10.10. and equivalent access-group config.

once ispb came up, ra vpn to 66.0.10.10 kicks me out, not able to authenticate and connect.

for secondary isp i did another acl, but now on internet zone in as the acl and access- group?

what could i be missing, what could i be doing wrong?

the desired state is once isp a is down b picks automatically and services are not disrupted.

Will appreciate your insights.

Thanks in advance.

chrihussey · ‎07-16-2024

Perhaps you should check for asymmetrical routing. If your VPN session is going out to ISP A, but returning via ISP B I'd wager the firewall will not allow it. You'd need to make ISP A the preferred path in and out.

Hope this may be of some help

fmugambi · ‎07-17-2024

I have done so, by using weight metric, isp A has larger weight.

Is this not enough do i need to use another metric to avoid assymetracy?

in regards to acl-ins, did i do it right?

chrihussey · ‎07-18-2024

The weight metric only applies to the local router's choice outbound and does not influence the return traffic. You probably need to prepend your AS to ISP B so that ISP A would be preferred.

As far as the ACLs are concerned, my assumption would be if ISP B is supposed to be the backup for ISP A, then they should mirror each other.

fmugambi · ‎07-25-2024

will test this by applying the as prepend attribute, and update here on the findings.

its on prod net, so am waiting for the cr to be approved.

thank you.

MHM Cisco World · ‎07-25-2024

Your Q in other post about vpn work only when asa have defualt route is relate to this design issue.

So can ypu elaborate more

Asa have two ISP and ftd behind ASA use public IP for VPN ? Or it use private IP and ASA do NATing to public IP?

MHM

fmugambi · ‎07-25-2024

for initial test case, have used private IP on FTD natted at ASA.

but on final prod network, i will have a public IP on FTD; p2p IP of /30 between ftd and asa.