Hello! We are using Cisco871 at branches and ASA5520 in router mode at central office. VPN3000 used to terminate IPSEC connections. I trying to implement backup links with OSPF and 'crypto map local-address' feature. Config at Cisco 871 looks like this: -------- interface Loopback1 ip address 172.16.255.10 255.255.255.255 crypto map VPN local-address Loopback1 crypto map VPN 10 ipsec-isakmp set peer 10.1.5.1 set transform-set TRANSFORM_SET match address VPN_TRIGGER interface FastEthernet1 description MAIN LINK ip address 172.16.1.10 255.255.255.0 crypto map VPN interface FastEthernet2 description BACKUP LINK ip address 172.16.2.10 255.255.255.0 crypto map VPN router ospf 1 log-adjacency-changes redistribute connected subnets network 172.16.1.0 0.0.0.255 area 126.96.36.199 network 172.16.2.0 0.0.0.255 area 188.8.131.52 -------- 172.16.255.10 configured as peer adress for tunnel on VPN3000. IPSEC tunnel works fine; 172.16.255.10 is accessible. ciscoasa# sh route | b 172.16.255 O E2 172.16.255.10 255.255.255.255 [110/20] via 172.16.160.10, 0:04:26, link1 ciscoasa# sh conn detail | i 172.16.255.10 ESP dmz:10.1.5.1/41767 link1:172.16.255.10/56656 ESP dmz:10.1.5.1/4405 link1:172.16.255.10/38401 UDP dmz:10.1.5.1/500 link1:172.16.255.10/500 flags - Lets shutdown one active link: ciscoasa# sh route | b 172.16.255 O E2 172.16.255.10 255.255.255.255 [110/20] via 172.16.0.27, 0:00:15, link2 ciscoasa# sh conn detail | i 172.16.255.10 UDP dmz:10.1.5.1/500 link1:172.16.255.10/500 flags - 172.16.255.10 now accessible via 'link2' interface, but UPD/500 connections is still bound to 'link1' interface.. Is it bug or feature? I suppose its feature. Is it possible to turn off that 'bind connection to interface' feature? Maybe there are better solutions about backup links? For example, should I use some ISR to terminate OSPF on it (then 172.16.255.10 won't jump from one interface to another). Or, maybe, I should use two different IPSEC tunnels and run routing protocol inside them?
... View more