cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3924
Views
0
Helpful
7
Replies

RA VPN not working on second outside interface

aaronburgMT
Level 1
Level 1

I temporarily have two ISP's coming into our ASA 5510.  That is working fine.  I've tried setting up VPN to our second outside interface (outside-XO) and that is not working.  The first/original VPN is working fine.  Can someone look at the config and tell me if I did something wrong.  It is not a client issue because it's able to connect fine on the first interface.  Thanks.

ASA Version 7.1(2)
!
hostname FW01
domain-name *.com
enable password * encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address *.*.229.200 255.255.255.192
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.2.3 255.255.255.0
!
interface Ethernet0/2
nameif outside-XO
security-level 0
ip address *.*.157.100 255.255.255.192
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.14.254 255.255.255.0
management-only
!
passwd * encrypted
banner login Warning this is a Private Network! Unauthorized Trespassers WILL be Prosecuted to the Full extent of the LAW!!!
boot system disk0:/asa712-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
dns server-group DefaultDNS
domain-name *.com
same-security-traffic permit intra-interface
object-group service Webserver tcp
description www and https
port-object eq https
port-object eq www
object-group service Mail tcp
description SMTP POP3 access
port-object eq pop3
port-object eq smtp
port-object eq 32000
object-group service Nonstandard tcp
description port 1429 and 1431
port-object eq 1431
port-object eq 1429
object-group service DNS tcp-udp
description Allow Outside DNS Resolution
port-object eq domain
object-group service FTP tcp
description FTP
port-object eq ftp
object-group service SMTPMail tcp
description SMTP Only Access
port-object eq smtp
object-group service IQWebServer tcp
description www and port 8082 access
port-object eq www
port-object eq 8082
port-object eq https
port-object eq 8999
object-group service SFTP tcp
description SFTP_SSH
port-object eq ssh
access-list outside_access_in extended permit tcp any host *.*.229.201 object-group Webserver
access-list outside_access_in extended permit tcp any host *.*.229.202 object-group Mail
access-list outside_access_in extended permit tcp any host *.*.229.202 object-group Webserver
access-list outside_access_in extended permit tcp any host *.*.229.202 object-group DNS 
access-list outside_access_in extended permit tcp any host *.*.229.203 object-group Nonstandard
access-list outside_access_in extended permit tcp any host *.*.229.204 object-group Webserver
access-list outside_access_in extended permit tcp any host *.*.229.205 object-group Nonstandard
access-list outside_access_in extended permit tcp any host *.*.229.208 object-group Webserver
access-list outside_access_in extended permit tcp any host *.*.157.101 object-group Webserver
access-list outside_access_in extended permit tcp any host *.*.157.102 object-group Mail
access-list outside_access_in extended permit tcp any host *.*.157.102 object-group Webserver
access-list outside_access_in extended permit tcp any host *.*.157.102 object-group DNS 
access-list outside_access_in extended permit tcp any host *.*.157.103 object-group Nonstandard
access-list outside_access_in extended permit tcp any host *.*.157.104 object-group Webserver
access-list outside_access_in extended permit tcp any host *.*.157.105 object-group Nonstandard
access-list outside_access_in extended permit tcp any host *.*.157.108 object-group Webserver
access-list 150 extended permit tcp any any eq smtp
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip any 10.1.1.0 255.255.255.240
access-list Splt_tnl standard permit 192.168.0.0 255.255.0.0
access-list Splt_tnl standard permit 10.1.1.0 255.255.255.0
access-list webcap extended permit tcp any host *.*.164.210 eq smtp
access-list webcap extended permit tcp host *.*.164.210 eq smtp any
pager lines 24
logging enable
logging asdm-buffer-size 200
logging buffered critical
logging asdm errors
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu outside-XO 1500
ip local pool VPNpool 10.1.1.1-10.1.1.15 mask 255.255.255.0
ip local pool VPNCisco 192.168.14.244-192.168.14.253 mask 255.255.255.0
icmp permit any inside
asdm image disk0:/asdm512.bin
asdm history enable
arp timeout 14400
global (outside) 1 *.*.229.194
global (outside-XO) 1 *.*.157.66
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.0.0 255.255.0.0
static (inside,outside) tcp *.*.229.202 domain 192.168.14.166 domain netmask 255.255.255.255
static (inside,outside) tcp *.*.229.202 www 192.168.14.2 www netmask 255.255.255.255
static (inside,outside) tcp *.*.229.202 smtp 192.168.14.2 smtp netmask 255.255.255.255
static (inside,outside) tcp *.*.229.202 pop3 192.168.14.2 pop3 netmask 255.255.255.255
static (inside,outside) tcp *.*.229.202 32000 192.168.14.2 32000 netmask 255.255.255.255
static (inside,outside) *.*.229.203 192.168.14.6 netmask 255.255.255.255
static (inside,outside) *.*.229.204 192.168.14.28 netmask 255.255.255.255
static (inside,outside) *.*.229.205 192.168.14.205 netmask 255.255.255.255
static (inside,outside) *.*.229.208 192.168.14.29 netmask 255.255.255.255
static (inside,outside) *.*.229.201 192.168.14.3 netmask 255.255.255.255
static (inside,outside-XO) tcp *.*.157.102 domain 192.168.14.166 domain netmask 255.255.255.255
static (inside,outside-XO) tcp *.*.157.102 www 192.168.14.2 www netmask 255.255.255.255
static (inside,outside-XO) tcp *.*.157.102 smtp 192.168.14.2 smtp netmask 255.255.255.255
static (inside,outside-XO) tcp *.*.157.102 pop3 192.168.14.2 pop3 netmask 255.255.255.255
static (inside,outside-XO) tcp *.*.157.102 32000 192.168.14.2 32000 netmask 255.255.255.255
static (inside,outside-XO) *.*.157.101 192.168.14.3 netmask 255.255.255.255
static (inside,outside-XO) *.*.157.103 192.168.14.6 netmask 255.255.255.255
static (inside,outside-XO) *.*.157.104 192.168.14.28 netmask 255.255.255.255
static (inside,outside-XO) *.*.157.105 192.168.14.205 netmask 255.255.255.255
static (inside,outside-XO) *.*.157.108 192.168.14.29 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group outside_access_in in interface outside-XO
route outside 0.0.0.0 0.0.0.0 *.*.229.193 1
route inside 192.168.0.0 255.255.0.0 192.168.2.1 1
route outside-XO 0.0.0.0 0.0.0.0 *.*.157.65 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 480
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy Cisco internal
group-policy Cisco attributes
wins-server value 192.168.14.4 192.168.14.11
dns-server value 192.168.14.4 192.168.14.11
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Splt_tnl
default-domain value *.com
username * password * encrypted
username * password * encrypted privilege 0
username * password * encrypted
username * password * encrypted
username * password * encrypted
username * password * encrypted privilege 15
username * password * encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 management
http 192.168.14.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside-XO
snmp-server host inside 192.168.14.27 community public
snmp-server location *
snmp-server contact Network Admin
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside-XO_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map outside-XO_map 65535 ipsec-isakmp dynamic outside-XO_dyn_map
crypto map outside-XO_map interface outside-XO
isakmp enable outside
isakmp enable outside-XO
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 600 retry 10
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 600 retry 10
tunnel-group Cisco type ipsec-ra
tunnel-group Cisco general-attributes
address-pool VPNpool
default-group-policy Cisco
tunnel-group Cisco ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 600 retry 10
telnet 192.168.0.0 255.255.0.0 inside
telnet 192.168.14.109 255.255.255.255 inside
telnet 192.168.14.36 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 10
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map INSPECT
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class INSPECT
  inspect dns
  inspect http
  inspect icmp
  inspect tftp
  inspect ftp
  inspect h323 ras
  inspect h323 h225
  inspect snmp
  inspect sip
  inspect esmtp
class inspection_default
  inspect ftp
!
service-policy global_policy global
tftp-server inside 192.168.14.21 TFTP-root/
smtp-server 192.168.14.2
Cryptochecksum:5eedeb06395378ed1c308a70d253c1b6
: end

1 Accepted Solution

Accepted Solutions

Hi,

Should work.

What I'm thinking is the routes:

route outside 0.0.0.0 0.0.0.0 *.*.229.193 1
route outside-XO 0.0.0.0 0.0.0.0 *.*.157.65 2

If the first interface is ok, the ASA is not going to route packets via the second interface, therefore the VPN will not get establish through that interface.

From the client, can you PING both outside IPs of the ASA or only the first one?

Try adding a static route on the ASA to the secondary outside interface pointing to the address of the client and try to connect via VPN and see if it works.

The commands:

sh cry isa sa

sh cry ips sa

Will be a great help as well, when the VPN connection attempt fails.

Federico.

View solution in original post

7 Replies 7

nomair_83
Level 3
Level 3

paste debug crypto isakmp and ipsec logs here plz

Hi,

Should work.

What I'm thinking is the routes:

route outside 0.0.0.0 0.0.0.0 *.*.229.193 1
route outside-XO 0.0.0.0 0.0.0.0 *.*.157.65 2

If the first interface is ok, the ASA is not going to route packets via the second interface, therefore the VPN will not get establish through that interface.

From the client, can you PING both outside IPs of the ASA or only the first one?

Try adding a static route on the ASA to the secondary outside interface pointing to the address of the client and try to connect via VPN and see if it works.

The commands:

sh cry isa sa

sh cry ips sa

Will be a great help as well, when the VPN connection attempt fails.

Federico.

Federico, I was thinking the same thing regarding the routes.

I can ping the first outside IP, but not the second from the client.

I tried the static route, but it still did not work.  What is the exact route you would write?

Here is the sh and debug output:

FW01(config)# sh crypto isa sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 166.205.136.217
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_WAIT_MSG3

FW01(config)# debug crypto isakmp
FW01(config)# Mar 10 12:27:33 [IKEv1]: Group = Cisco, IP =
166.205.136.217, Removing peer from peer table failed, no match!
Mar 10 12:27:33 [IKEv1]: Group = Cisco, IP = 166.205.136.217, Error: Unable to r
emove PeerTblEntry

sh crypto ipsec sa and debug crypto ipsec showed/did nothing.

- Aaron

Anyone else have any suggestions or comments?  I'm really hoping to get this to work.

- Aaron

You cannot PING the second public IP address of the ASA, because the ASA routes all outgoing traffic via the primary interface.

You can create a static route like this:

route SECONDARY_INTERFACE x.x.x.x 255.255.255.255 NEXT_HOP

Let me explain:

SECONDARY_INTERAFACE is the name of the second interface where the tunnel terminates

x.x.x.x is the public IP address from where your VPN client connection is coming from

NEXT_HOP is the next-IP from the ASA out the secondary interface

This route creates a path through the secondary interface to reach the public IP address of your VPN client.

Try it like this and post the result of:

sh cry isa sa

sh cry ips sa

Federico.

Federico, that worked.  Output below.  Any way to get this to work without coding in ip address?  Perhaps a static route based on UDP 500?

FW01(config)# sh cry isa sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 166.205.139.238
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_TM_INIT_XAUTH_V6H

FW01(config)# sh cry isa sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 166.205.139.238
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE

FW01(config)# sh cry ips sa
interface: outside-XO
    Crypto map tag: outside-XO_dyn_map, seq num: 10, local addr: *.*.157.100

      local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.1.1.12/255.255.255.255/0/0)
      current_peer: 166.205.139.238, username: *
      dynamic allocated peer ip: 10.1.1.12

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: *.*.157.100/4500, remote crypto endpt.: 166.205.1
39.238/33759
      path mtu 1500, ipsec overhead 68, media mtu 1500
      current outbound spi: 02BC3DB6

    inbound esp sas:
      spi: 0x535BC7D4 (1398523860)
         transform: esp-3des esp-sha-hmac
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 839, crypto-map: outside-XO_dyn_map
         sa timing: remaining key lifetime (sec): 3598
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x02BC3DB6 (45890998)
         transform: esp-3des esp-sha-hmac
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 839, crypto-map: outside-XO_dyn_map
         sa timing: remaining key lifetime (sec): 3594
         IV size: 8 bytes
         replay detection support: Y

The thing is that the ASA needs to know out which interface to reach the public IP address that you're coming from.

On your original config, the ASA sends out all packets (that don't match the routing table) via the first outside interface (based on the default route and metric)

If something cause this interface to go down, the the ASA will route all packets via the secondary interface.

You cannot tell the ASA that your public IP is reachable via both interfaces at the same time withouth doing some kind of load balancing.

Please let me know exactly the goal of this design, so we can help you out better.

Hope its clear.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: