I was recently tasked with adding a redundant internet connection for one of our remote sites. this new connection was to be used as the primary connection for the VPN from the site with the existing one being configured as a failover controlled by an IP SLA tracker on the new interface. The existing connection uses a PPPoE connection configured under Dialer1 associated with FE0 to connect to our ASA. Duplicating this wasn't an option given the hardware that the second ISP provided. They provided a /29 for use; I configured FE2 using a Vlan interface with a host on that subnet. I duplicated the connection profiles and tunnel groups on our ASA, changing only the Peer IP. Both interfaces on the 1811 are using the same crypto map. The new connection seems fine and I can reach other hosts on its subnet from both the router and hosts on the inside of the NAT. The issue happens when I change the default route to use the new connection. I'm able to reach internet hosts using the new connection and I can see the VPN being established on the ASA while the VPN from the old connection drops, but I can't get traffic to route over the tunnel. If I remove the default route that uses the new connection the VPN comes back up on the old connection just fine. There's no problem routing over the VPN when it uses that connection, just the new one. Relevant config from show run: ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 crypto isakmp key <KEY> address <ASA IP ADDRESS> crypto isakmp keepalive 10 ! crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac ! crypto map aesmap 20 ipsec-isakmp set peer <ASA IP ADDRESS> set transform-set aesset set pfs group2 match address acl_vpn_test ! interface FastEthernet0 no ip address no ip unreachables no ip proxy-arp ip virtual-reassembly duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1 crypto map aesmap ! interface FastEthernet2 switchport access vlan 100 ! interface Vlan100 ip address <IP FOR NEW CONNECTION> 255.255.255.248 no ip unreachables no ip proxy-arp ip nat outside ip inspect Stateful_CBAC out ip virtual-reassembly crypto map aesmap ! interface Dialer1 mtu 1492 ip address negotiated ip nat outside ip inspect Stateful_CBAC out ip virtual-reassembly encapsulation ppp dialer pool 1 no cdp enable <PPP ACOUNT INFO> crypto map aesmap ! ip route 0.0.0.0 0.0.0.0 Dialer1 100 ip route 0.0.0.0 0.0.0.0 <FIRST HOP IP FOR NEW CONNECTION> track 1 !
... View more