IKEv2: Triple WAN failover between IOS (Spoke) and ASA (Hub)

Michael Muenz · ‎05-25-2016

Symptom

You have a Hub/Spoke design like in my blog post

https://supportforums.cisco.com/blog/12960641/ikev2-central-spoke-asa-multiple-ios-hubsclients-dynamic-ip

and want to add redundancy at the client side.

Problem

Most Hub/Spoke designs have a redundant ASA (Hub) in the datacenter, mostly dual-homed. But when it comes to the client side (Spoke) you can have multiple cheap uplinks like VDSL, ADSL and LTE.

With EasyVPN you can only have one backup connection, e.g. VDSL as primary and ASDL as a secondary. But what happens when there's an outage at the DSL provider? You could use LTE as a third backup solution. Now there comes IKEv2 into play ...

Solution

I only add the required lines to the client and assume you already have a running setup like in

https://supportforums.cisco.com/blog/12960641/ikev2-central-spoke-asa-multiple-ios-hubsclients-dynamic-ip

There's nothing to do on the Hub side!

Configuration of backup interfaces (here VLAN):

interface Vlan51
 description BackupDSL
 ip address 192.168.1.50 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 no autostate
 crypto map cmap

interface Vlan52
 description LTE
 ip address 192.168.8.50 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 no autostate
 crypto map cmap

Please select 4 publicly pingable and stable addresses. I wont post some of them, please search around, there are enough.

ip sla 100
 icmp-echo <pingable-address1> source-interface Dialer0
 threshold 2
 frequency 10
ip sla schedule 100 life forever start-time now
ip sla 101
 icmp-echo <pingable-address2> source-interface Dialer0
 threshold 2
 frequency 10
ip sla schedule 101 life forever start-time now

ip sla 200
 icmp-echo <pingable-address3> source-interface Vlan51
 threshold 2
 frequency 10
ip sla schedule 200 life forever start-time now
ip sla 201
 icmp-echo <pingable-address4> source-interface Vlan51
 threshold 2
 frequency 10
ip sla schedule 201 life forever start-time now

Now we set a static routing for these addresses. PLEASE: Don't use your provider DNS servers for pinging, you won't be able to do fast name resolution if you have a problem with one line!!

ip route <pingable-address1> 255.255.255.255 Dialer0
ip route <pingable-address2> 255.255.255.255 Dialer0
ip route <pingable-address3> 255.255.255.255 192.168.1.1
ip route <pingable-address4> 255.255.255.255 192.168.1.1

Set up boolean tracking, so both adresses have to be down. More stable than pinging only one address:

track 100 ip sla 100 reachability

track 101 ip sla 101 reachability

track 200 ip sla 200 reachability

track 201 ip sla 201 reachability



track 1 list boolean or
 object 100
 object 101
!
track 2 list boolean or
 object 200
 object 201

Finally the default routes:

ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 192.168.1.1 170 track 2
ip route 0.0.0.0 0.0.0.0 192.168.8.1 254

So you default-gw is Dialer0, when both pingable addresses are unreachable, first route will be deleted and the second one comes into play. When pingable-address3+4 is also unreachable, second default route will also be deleted and the last comes into play. When the hosts come back the routes will be inserted again.

If you don't have much traffic but what the IPSec always up, you could create a third SLA tracking to always trigger the VPN:

ip sla 3
 icmp-echo <pingable-address5> source-interface Vlan1
 threshold 2
 frequency 10
ip sla schedule 3 life forever start-time now

You don't need any specific route, if shall only be routed through the current default gateway and have to met the IPSEC policy.

That's it! :)