Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
788
Views
0
Helpful
0
Replies

ASA 5515. 9.8(4)20. Dual ISP scenario. Problem with VPN tunnel

mikeok
Level 1
Level 1

‎08-19-2020 02:52 AM

Hello!

I have implemented dual ISP routing on ASA firewall and faced a problem with a VPN tunnel.

- Pre-implementation state:

The firewall had one outgoing interface ("outside"). Several VPN tunnels were built over it. The most part of Internet traffic was also routed over one of the tunnels (to ZScaler to implement additional policies there. ZScaler works as a responder only). The default route was also tired to this interface

- Target design:

The additional interface was added ("outside3"). It has to be used as the primary one for all Internet destinations and the tunnel to ZScaler. All other existed tunnels, incoming traffic, and AnyConnect clients have to be kept on "outside" interface

 

I modified static routes, added necessary tracking, created a separate crypto map for new interface, updated NAT rules. At the first view, everything works fine, but a bit later the client started complaining about Internet connection quality.

I saw such messages in the logs related to ZScaler remote peer:

 

Jul 31 18:24:53 [IKEv1]IP = 165.225.214.48, Attempting to establish a phase2 tunnel on outside interface but phase1 tunnel is on outside3 interface. Tearing down old phase1 tunnel due to a potential routing change.

Jul 31 18:24:53 [IKEv1]IP = 165.225.214.48, IKE Initiator: New Phase 1, Intf inside, IKE Peer 165.225.214.48  local Proxy Address 10.0.0.0, remote Proxy Address 0.0.0.0,  Crypto map (outside_map0)

...

Jul 31 18:24:53 [IKEv1]Group = 165.225.214.48, IP = 165.225.214.48, Session is being torn down. Reason: Unknown

 

Troubleshooting together with ZScaler didn't help much. As I wrote their equipment works as a responder only and they see in their logs packets coming from both ASA interfaces.

The situation becomes stable when I disable "outside3" interface and all traffic is routed over "outside" interface again.

 

I attached running-config and two debugs files, one was collected when only one interface was active and other was collected when both outside interfaces were UP.

Please share your ideas what could be wrong

 

 

Labels:
Preview file
91 KB
Preview file
1014 KB
Preview file
96 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents