cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2699
Views
0
Helpful
15
Replies
Highlighted
Beginner

Dual ISP, one VPN works and the other does not route

I have an ASA5505 and have the Any-Connect setup so that I can use my iPhone or iPad and get to my internal Cisco VC240 IP Cameras as well as other devices in my network but they are the main reason I setup the VPN.  This works like a champ and I don't have to change the settings on the iPhone/iPad app when I am in the office or out of the office.

I have since added an additional ISP due to some other services on my network.  I am using the tracking feature of the ASA to track the route to one ISP and if it fails, the other ISP takes over the connection.  I copied the commands for the 1st ISP, changed the names to the second ISP and placed the commands into the ASA.  I can now connect via Any-Connect to either ISP on the iPhone/iPad.  If I connect to my latest ISP, I get connected but the ASA does not route traffic back to me.  My stats on the iPhone show data sent but none received.  I cannot ping any device, access my cameras, etc.  But when I connect to the other ISP, it works fine.

I didn't know if this is even possible with the ASA but would assume it would be as most everything works so it appears I am missing probably one small command and it would work on either.

Does anyone know if it is possible?  And if so, any idea on what might cause one to work and the other to not work?

Thanks, Todd Vohs Owner Holstein Ag Services, LLC
Everyone's tags (8)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Dual ISP, one VPN works and the other does not route

Hello Todd,

what about this entry:

nat (inside,evertek) source static local-network local-network destination static Anyconnect-client Anyconnect-client

From sh run I can see that there is no nat-exempt.

Best Regards,

Eugene

Cisco Employee

Re: Dual ISP, one VPN works and the other does not route

Hello Todd,

You are welcome, you can mark this post as answered if everything is fine now.

Please rate helpful posts

Best Regards,

Eugene

15 REPLIES 15
Cisco Employee

Dual ISP, one VPN works and the other does not route

Hello Todd,

The same question in the neighbor post. Two  ISPs are only supported in a primary/backup-scenario. When the  primary  ISP fails (which is tested by IP SLA) then the backup ISP jumps  in.  This is done by enabling the default-route on the backup-ISP and   disabling the default-route on the primary ISP. But it's not possible  to  use them both at the same time.

Please rate helpful posts

Best Regards,

Eugene

Beginner

Dual ISP, one VPN works and the other does not route

Eugene,

Thanks for the quick response.  Here is the problem; my first ISP (let's call it frontier) was my only ISP.  The AnyConnect worked fine on frontier. 

I now have another ISP (call it comcast) that is faster so I am using it as the primary and have the router configured for the primary ISP as comcast and the backup ISP as frontier.  The AnyConnect only works on the backup (frontier).  It does not work on the primary (comcast).  The tracking/SLA works fine, I can traceroute and it goes through comcast.  Then unplug the comcast cable and a traceroute then goes through frontier.  Plug it back in and back through comcast.  Routes update fine. 

VPN continues to work through frontier but not comcast, even when both are up and running.  That is why I thought there was just something little I was missing since it continues to function through the backup and not the primary.

Thanks,

Todd.

Thanks, Todd Vohs Owner Holstein Ag Services, LLC
Beginner

Dual ISP, one VPN works and the other does not route

Eugene,

I forgot to add that when I stated that I copied the commands, I was referring to the access lists, static nat, etc.  So where there was a NAT or Access List that stated:

nat (inside,frontier) source static local-network local-network destination static Anyconnect-client Anyconnect-client

I copied and pasted the following:

nat (inside,comcast) source static local-network local-network destination static Anyconnect-client Anyconnect-client

I tried to make equivalents for everything that I thought needed.  Apparently, there is something I am missing.  That is all I am saying.  Just not sure.

Thanks again,

Todd

Thanks, Todd Vohs Owner Holstein Ag Services, LLC
Cisco Employee

Dual ISP, one VPN works and the other does not route

Hi Todd,

So you cannot connect to comcast interface, even when it is in use? Can you provide sh run?

Best Regards,

Eugene

Beginner

Re: Dual ISP, one VPN works and the other does not route

Eugene,

It connects just fine.  When I start the Anyconnect client on a PC or an iPad/iPhone, it will connect to both ISP static IP addresses and receives a 10.1.4.x address from the VPN DHCP Pool.  It does not route traffic back to the client from the active ISP.  The one that is in the Backup role connects and routes just as it should.

I live in a remote area of NW Iowa.  We did not get any type of high-speed internet until 2003, which was a wireless solution from Evertek with a 1Mbps down and 640K up.  We have now gotten to some DSL in the last few years.  I currently have a Frontier ADSL which runs about 3 down and 1 up.  I am hosting a Raven Slingshot which provides non-line-of-sight RTK GPS signal to farmers in fields that have a cellular data modem on their GPS auto-steer units in tractors and combines to sub-inch accuracy so this connection has to have quite a bit of reliability.  This is all fronted with a Cisco 2611 with a WIC-1ADSL that I used to replace the crappy little ADSL modem/router that Frontier supplied.  I can therefore use NAT and keep the Slingshot on E0/1 on the 2611 and NAT it into Frontier and the E0/0 connects to a VLAN on the ASA5505 and gets NAT into Frontier also.  If the ASA5505 does down, the Slingshot still functions.  Therefore, my ASA5505 backup is to the Frontier ADSL.

The Evertek (what I referred to as Comcast in earlier posts) connects to another VLAN and is the primary supplying data to the rest of the network and if it goes down, my data will switch to the Frontier ADSL until the Evertek comes back online.

The backup/tracker function was exactly what I was needing.  I picked up another ethernet inferface on eBay for the 2611 so that I have the ability to move the Evertek ISP to the 2611 also and use the 2611 to provide an reliable, backup internet connection just for the Slingshot as Frontier is currently installing Bonded ADSL/2 which will provide me 12Mbps/6Mbps connection.  So, I will keep the data on the ADSL/2, the Slingshot on the Frontier ADSL and Evertek as a backup to Frontier when it is finally said and done.  I would just like to get the VPN off my Frontier ADSL and onto the Evertek (which is the one not functioning correctly right now) so I am not interferring with the Slingshot.

Is there a way to use the Evertek as a backup to 2 interfaces?  I would only want this since the Frontier ADSL and ADSL/2 all come into the building on a single 4-pair copper wire so if it gets cut, disconnected, etc. somewhere both would go down and I would still have the Evertek wireless but would still need the VPN to work on all interfaces.

Sorry to babble on, but there is no one in this area that knows what I am talking about so I do not have anyone to bounce any ideas off.

Thanks,

Todd Vohs
Owner
Holstein Ag Services, LLC

Thanks, Todd Vohs Owner Holstein Ag Services, LLC
Contributor

Dual ISP, one VPN works and the other does not route

Please copy the output of

show route

while the client is connected to either VPN. Can you see any firewall logs while sending packets?

You should add no-proxy-arp and route-lookup keywords to the identiy NAT commands. What software version do you have?

Beginner

Re: Dual ISP, one VPN works and the other does not route

Here is a sh ro, sh ver and sh run.  I don't want my information laid out there to the public so I sub'd the evertek isp with yyyy.yyyy.yyyy.yyyy, frontier with zzzz.zzzz.zzzz.zzzz and my domain name with domain.com and sub'd the password encryptions. 

I also noticed that there is not a network object for my evertek interface.  How do I add a network object for that interface when it is a dhcp from the isp?  I do have a static address from them and that is how they do statics, I gave them my MAC and they always give me the same address.

I noticed too that I do not have an extended access-list for the evertek isp.

Would these 2 things make it not work?

hasasa5505# sh ro

Codes:

       C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is yyyy.yyyy.yyyy.yyyy to network 0.0.0.0

C    zzzz.zzzz.zzzz.zzzz 255.255.255.252 is directly connected, frontier

S    172.16.100.0 255.255.255.0 [1/0] via 10.1.2.1, inside

C    10.1.2.0 255.255.255.0 is directly connected, inside

S    10.1.1.0 255.255.255.0 [1/0] via 10.1.2.1, inside

S    10.1.4.0 255.255.255.0 [1/0] via 10.1.2.1, inside

S    10.1.4.21 255.255.255.255 [1/0] via yyyy.yyyy.yyyy.yyyy, frontier

S    10.1.4.20 255.255.255.255 [1/0] via yyyy.yyyy.yyyy.yyyy, evertek

S    10.1.100.0 255.255.255.0 [1/0] via 10.1.2.1, inside

S    192.168.1.0 255.255.255.0 [1/0] via 10.1.2.1, inside

d*   0.0.0.0 0.0.0.0 [1/0] via yyyy.yyyy.yyyy.yyyy, evertek

C    yyyy.yyyy.yyyy.yyyy 255.255.254.0 is directly connected, evertek

hasasa5505#

hasasa5505# sh ver

Cisco Adaptive Security Appliance Software Version 8.4(3)

Device Manager Version 6.4(7)

Compiled on Fri 06-Jan-12 10:24 by builders

System image file is "disk0:/asa843-k8.bin"

Config file at boot was "startup-config"

hasasa5505 up 1 day 22 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

                             Boot microcode        : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.06

                             Number of accelerators: 1

0: Int: Internal-Data0/0    : address is 0007.7d76.7ca1, irq 11

1: Ext: Ethernet0/0         : address is 0007.7d76.7c99, irq 255

2: Ext: Ethernet0/1         : address is 0007.7d76.7c9a, irq 255

3: Ext: Ethernet0/2         : address is 0007.7d76.7c9b, irq 255

4: Ext: Ethernet0/3         : address is 0007.7d76.7c9c, irq 255

5: Ext: Ethernet0/4         : address is 0007.7d76.7c9d, irq 255

6: Ext: Ethernet0/5         : address is 0007.7d76.7c9e, irq 255

7: Ext: Ethernet0/6         : address is 0007.7d76.7c9f, irq 255

8: Ext: Ethernet0/7         : address is 0007.7d76.7ca0, irq 255

9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255

10: Int: Not used            : irq 255

11: Int: Not used            : irq 255

Licensed features for this platform:

Maximum Physical Interfaces       : 8              perpetual

VLANs                             : 20             DMZ Unrestricted

Dual ISPs                         : Enabled        perpetual

VLAN Trunk Ports                  : 8              perpetual

Inside Hosts                      : 50             perpetual

Failover                          : Active/Standby perpetual

VPN-DES                           : Enabled        perpetual

VPN-3DES-AES                      : Enabled        perpetual

AnyConnect Premium Peers          : 2              perpetual

AnyConnect Essentials             : 25             perpetual

Other VPN Peers                   : 25             perpetual

Total VPN Peers                   : 25             perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Enabled        perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

UC Phone Proxy Sessions           : 2              perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5505 Security Plus license.

Serial Number: SERIAL#

Running Permanent Activation Key: KEY

Configuration register is 0x1

Configuration last modified by enable_15 at 19:58:59.527 CST Sat Dec 15 2012

hasasa5505#

This is actually from a copy run tftp:

: Saved

: Written by enable_15 at 14:46:02.006 CST Sun Dec 16 2012

!

ASA Version 8.4(3)

!

hostname hasasa5505

domain-name domain.com

enable password asfadfasfdasddf encrypted

passwd adfkjadfasdf encrypted

names

name 208.67.222.222 OpenDNS.1

name 208.67.220.220 OpenDNS.2

name 172.16.100.200 InternalDNS.1

dns-guard

!

interface Ethernet0/0

switchport access vlan 15

!

interface Ethernet0/1

switchport access vlan 4

!

interface Ethernet0/2

switchport access vlan 4

!

interface Ethernet0/3

switchport access vlan 4

!

interface Ethernet0/4

switchport access vlan 4

!

interface Ethernet0/5

switchport access vlan 5

!

interface Ethernet0/6

switchport access vlan 4

!

interface Ethernet0/7

switchport access vlan 25

!

interface Vlan1

nameif management

security-level 0

ip address 10.1.100.254 255.255.255.0

!

interface Vlan4

nameif inside

security-level 100

ip address 10.1.2.254 255.255.255.0

!

interface Vlan5

nameif dmz

security-level 50

ip address 10.1.3.254 255.255.255.0

!

interface Vlan15

nameif frontier

security-level 0

ip address zzzz.zzzz.zzzz.zzzz 255.255.255.252

!

interface Vlan25

nameif evertek

security-level 0

ip address dhcp setroute

!

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup management

dns domain-lookup inside

dns domain-lookup dmz

dns domain-lookup frontier

dns server-group DefaultDNS

name-server OpenDNS.1

name-server OpenDNS.2

name-server InternalDNS.1

domain-name holsteinagservices.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network has-video

host 10.1.2.203

description HAS Video Server

object network Cisco2621

host zzzz.zzzz.zzzz.zzzz

object service tftp

service udp source eq tftp

object service ssh

service tcp source eq ssh

object service rdp

service tcp source eq 3389

object service 4010

service tcp source eq 4010

object service 4011

service tcp source eq 4011

object service 23

service tcp source eq telnet

object network has-pbx

host 10.1.1.100

description 3CX Server

object network pioneer-pc

host 172.16.100.31

object service 7644

service tcp source eq 7644

object service 5090

service tcp source eq 5090

description 3CX Tunnel

object service sip

service tcp source eq sip

object-group service 3cxtunnel tcp-udp

port-object eq 5090

port-object eq sip

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network Anyconnect-client

network-object 10.1.4.0 255.255.255.0

object-group network local-network

network-object 172.16.100.0 255.255.255.0

network-object 10.1.2.0 255.255.255.0

network-object 192.168.1.0 255.255.255.0

network-object 10.1.1.0 255.255.255.0

network-object 10.1.4.0 255.255.255.0

access-list outside_access_in extended permit object-group TCPUDP any object has-pbx object-group 3cxtunnel

access-list outside_access_in extended permit tcp any object pioneer-pc eq 7644

access-list outside_access_in extended permit udp any object Cisco2621 eq tftp

access-list outside_access_in extended permit icmp any object Cisco2621 echo-reply

access-list test extended permit ip any host zzzz.zzzz.zzzz.zzzz

access-list test extended permit ip host zzzz.zzzz.zzzz.zzzz any

access-list split standard permit 172.16.100.0 255.255.255.0

access-list split standard permit 10.1.2.0 255.255.255.0

access-list split standard permit 192.168.1.0 255.255.255.0

access-list split standard permit 10.1.1.0 255.255.255.0

pager lines 24

mtu management 1500

mtu inside 1500

mtu dmz 1500

mtu frontier 1500

mtu evertek 1500

ip local pool HASVPNPool 10.1.4.20-10.1.4.24 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (inside,frontier) source static local-network local-network destination static Anyconnect-client Anyconnect-client

nat (inside,frontier) source static pioneer-pc interface service 7644 7644

nat (inside,frontier) source static has-pbx interface service 5090 5090

nat (inside,frontier) source static has-video interface service 4011 4011

nat (inside,frontier) source static has-video interface service 4010 4010

nat (inside,evertek) source static pioneer-pc interface service 7644 7644

nat (inside,evertek) source static has-pbx interface service 5090 5090

nat (inside,evertek) source static has-video interface service 4011 4011

nat (inside,evertek) source static has-video interface service 4010 4010

!

nat (inside,frontier) after-auto source dynamic any interface

nat (inside,evertek) after-auto source dynamic any interface

access-group outside_access_in in interface frontier

access-group outside_access_in in interface evertek

route evertek 0.0.0.0 0.0.0.0 yyyy.yyyy.yyyy.yyyy track 1

route frontier 0.0.0.0 0.0.0.0 zzzz.zzzz.zzzz.zzzz 3

route inside 10.1.1.0 255.255.255.0 10.1.2.1 1

route inside 10.1.4.0 255.255.255.0 10.1.2.1 1

route inside 10.1.100.0 255.255.255.0 10.1.2.1 1

route inside 172.16.100.0 255.255.255.0 10.1.2.1 1

route inside 192.168.1.0 255.255.255.0 10.1.2.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server CiscoVPN protocol radius

ad-agent-mode

aaa-server CiscoVPN (inside) host InternalDNS.1

key password1

radius-common-pw password1

aaa-server has-server protocol radius

aaa-server has-server (inside) host InternalDNS.1

timeout 5

key 12345678

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.1.2.0 255.255.255.0 inside

http 172.16.100.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sla monitor 123

type echo protocol ipIcmpEcho yyy.yyyy.yyyy.yyyy interface frontier

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface frontier

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=hasasa5505

proxy-ldc-issuer

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

    308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130

    0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117

    30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b

    13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504

    0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72

    20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56

    65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043

    65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31

    30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b

    30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20

    496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65

    74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420

    68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329

    3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365

    63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7

    0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597

    a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10

    9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc

    7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b

    15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845

    63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8

    18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced

    4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f

    81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201

    db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868

    7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101

    ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8

    45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777

    2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a

    1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406

    03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973

    69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403

    02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969

    6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b

    c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973

    69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30

    1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603

    551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355

    1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609

    2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80

    4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e

    b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a

    6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc

    481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16

    b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0

    5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8

    6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28

    6c2527b9 deb78458 c61f381e a4c4cb66

  quit

crypto ca certificate chain ASDM_TrustPoint0

certificate d296644f

    3082026a 308201d3 a0030201 020204d2 96644f30 0d06092a 864886f7 0d010105

    05003047 31133011 06035504 03130a68 61736173 61353530 35313030 2e06092a

    864886f7 0d010902 16216861 73617361 35353035 2e686f6c 73746569 6e616773

    65727669 6365732e 636f6d30 1e170d31 32303431 36313230 3035385a 170d3232

    30343134 31323030 35385a30 47311330 11060355 0403130a 68617361 73613535

    30353130 302e0609 2a864886 f70d0109 02162168 61736173 61353530 352e686f

    6c737465 696e6167 73657276 69636573 2e636f6d 30819f30 0d06092a 864886f7

    0d010101 05000381 8d003081 89028181 00ab7918 2a1031bc 711c4495 e5c11d6f

    af55ba95 0211eb7b 1fb0170a 663186ca 83ae651d d9d364a2 46f2d049 7a918c31

    da774019 a111dc7b bd818fe7 f7b0eb9b 7e004d5b 7eec4e3b 117bcaf7 560bc697

    cb021079 7f28983c e669b0d7 741cf450 226f83f1 19a81729 48e7eed5 2e85f5e5

    eac070b7 b6b909be 630295f2 25301670 51020301 0001a363 3061300f 0603551d

    130101ff 04053003 0101ff30 0e060355 1d0f0101 ff040403 02018630 1f060355

    1d230418 30168014 a08b66cc 9b2fc4b4 f65cd3c1 96e0bd9f 9f4d037a 301d0603

    551d0e04 160414a0 8b66cc9b 2fc4b4f6 5cd3c196 e0bd9f9f 4d037a30 0d06092a

    864886f7 0d010105 05000381 8100a90c 243e2174 a414e6c5 9b64e879 a9d53c29

    1c10302a cf317721 873cbe6c c07bc16a 9a2e29a2 66e0b916 85e07c98 0a0f25b3

    27b92a13 f997a41f fabd47d8 85f49555 4fa74e48 c97270b8 7b5a5202 e93f6055

    503f2c80 07b34957 573cfb33 57fd0917 8e44569d 7968c94a 5500ed01 e945875b

    3d3f2221 2024c3b8 b3e2af2c 1baf

  quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

!

track 1 rtr 123 reachability

telnet timeout 5

ssh 10.1.2.0 255.255.255.0 inside

ssh 10.1.4.0 255.255.255.0 inside

ssh timeout 30

console timeout 0

dhcp-client client-id interface frontier

dhcp-client client-id interface evertek

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server InternalDNS.1 source inside

ssl trust-point ASDM_TrustPoint0 evertek

ssl trust-point ASDM_TrustPoint0 frontier

webvpn

enable frontier

enable evertek

anyconnect-essentials

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect image disk0:/anyconnect-dart-win-2.5.2019-k9.pkg 2

anyconnect enable

tunnel-group-list enable

group-policy "GroupPolicy_Holstein Ag Services AnyConnect VPN" internal

group-policy GroupPolicy_HAS internal

group-policy GroupPolicy_HAS attributes

wins-server value 172.16.100.200

dns-server value 172.16.100.200 208.67.222.222

vpn-tunnel-protocol ikev2 ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split

default-domain value domain.com

username user1 password adfadfadsfadf encrypted privilege 15

username user2 password afdsdfasdfasdf encrypted privilege 15

username user3 password asdfasdfasdf encrypted privilege 15

tunnel-group HAS type remote-access

tunnel-group HAS general-attributes

address-pool HASVPNPool

default-group-policy GroupPolicy_HAS

tunnel-group HAS webvpn-attributes

group-alias HAS enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

service call-home

call-home reporting anonymous

call-home

contact-email-addr xxxx.xxxx@domain

profile CiscoTAC-1

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:0a54526e70b07246f1ff92bcfc743913

: end

Thanks,

Todd

Thanks,

Todd Vohs
Owner
Holstein Ag Services, LLC

Thanks, Todd Vohs Owner Holstein Ag Services, LLC
Beginner

Re: Dual ISP, one VPN works and the other does not route

And I had my iPad connected to the frontier vpn and my laptop connected to the evertek vpn at the time of the sh ro.

Thanks,

Todd Vohs
Owner
Holstein Ag Services, LLC

Thanks, Todd Vohs Owner Holstein Ag Services, LLC
Cisco Employee

Re: Dual ISP, one VPN works and the other does not route

Hello Todd,

what about this entry:

nat (inside,evertek) source static local-network local-network destination static Anyconnect-client Anyconnect-client

From sh run I can see that there is no nat-exempt.

Best Regards,

Eugene

Beginner

Re: Dual ISP, one VPN works and the other does not route

That was it.  Works fine now.  Sometimes you cannot see the forest through the trees.  Thanks, Eugene.

Thanks,

Todd Vohs
Owner
Holstein Ag Services, LLC

Thanks, Todd Vohs Owner Holstein Ag Services, LLC
Cisco Employee

Re: Dual ISP, one VPN works and the other does not route

Hello Todd,

You are welcome, you can mark this post as answered if everything is fine now.

Please rate helpful posts

Best Regards,

Eugene

Beginner

Re: Dual ISP, one VPN works and the other does not route

I thought it was something simple.  Thanks again.

Thanks,

Todd Vohs
Owner
Holstein Ag Services, LLC

Thanks, Todd Vohs Owner Holstein Ag Services, LLC
Contributor

Re: Dual ISP, one VPN works and the other does not route

Nice but I don't understand how it can work. The ASA has default route in only one direction, are the reply ESP packets to the iPad/frontier sent via the primary evertek line asymmetrically?

Beginner

Re: Dual ISP, one VPN works and the other does not route

Peter,

I did notice that too.  When I got it working and was connected on the frontier side, it showed the 10.1.4.20 address via Evertek when I did a sh ro, even though it was connected from frontier.  Hmmm.  If it is asymmetric like you said, would it be faster with packets going up into frontier and down via Evertek?

Thanks, Todd Vohs Owner Holstein Ag Services, LLC