07-07-2016 05:37 AM
I have a normal (non-VPN) point-to-point link between 2x ASAs, and I'd like to create a backup link using a VPN across our Corporate network cloud. I've tried to do this, following Cisco example configs but the VPN is not coming up when the tracked route goes down.
NB. this is not a default route, just a route to a single /27.
Here's the sla/track configs (I am confident with the VPN config, so haven't included it here):
FW1
route inter-site 192.168.61.0 255.255.255.224 10.20.30.3 1 track 1
route corp-outside 0.0.0.0 0.0.0.0 10.92.215.225 1
route corp-outside 192.168.61.0 255.255.255.224 10.92.215.225 100
sla monitor 100
type echo protocol ipIcmpEcho 10.20.30.3 interface inter-site
num-packets 3
frequency 10
sla monitor schedule 100 life forever start-time now
track 1 rtr 100 reachability
FW2
route inter-site 192.168.60.0 255.255.255.224 10.20.30.1 1 track 1
route corp-outside 0.0.0.0 0.0.0.0 10.72.215.225 1
route corp-outside 192.168.60.0 255.255.255.224 10.72.215.225 100
sla monitor 100
type echo protocol ipIcmpEcho 10.20.30.1 interface inter-site
num-packets 3
frequency 10
sla monitor schedule 100 life forever start-time now
track 1 rtr 100 reachability
When I shutdown one of the sides tracked interface, the tracked route is removed from the routing table and replaced by the backup route via the corp-outside interface.
However, the VPN does not come up and I see lots of:
Routing failed to locate next hop for TCP from prod-inside:192.168.61.8/51583 to inter-site:192.168.60.5/11322
...errors in the logs. You can see that packets are still trying to be sent to the inter-site interface which is no longer in the routing table.
Any help appreciated
Solved! Go to Solution.
07-07-2016 11:26 AM
Hello Handsy,
Just for curiosity, asuming that you are NATing the traffic pointing to the internet to a public IP, when creating the nat exemption for the site to site did you use the "route-lookup" command?
Example for the nat exemption:
nat (inside,outside) source static Local-Lan Local-Lan destination static Remote-Lan Remote-Lan no-proxy-arp route-lookup.
The route-lookup command should make the packet to look into the routing table first before performing the nat and hence to follow the correct path.
If you could run a Packet-tracer command to check the path followed by the traffic while testing the site to site option.
for icmp:
packet-tracer input <inside> icmp <local host> 8 0 <remote host> detailed
for tcp (based on your log):
packet-tracer input <inside> tcp 192.168.61.8 51583 192.168.60.5 11322 detailed
Regards,
Miguel
07-07-2016 11:26 AM
Hello Handsy,
Just for curiosity, asuming that you are NATing the traffic pointing to the internet to a public IP, when creating the nat exemption for the site to site did you use the "route-lookup" command?
Example for the nat exemption:
nat (inside,outside) source static Local-Lan Local-Lan destination static Remote-Lan Remote-Lan no-proxy-arp route-lookup.
The route-lookup command should make the packet to look into the routing table first before performing the nat and hence to follow the correct path.
If you could run a Packet-tracer command to check the path followed by the traffic while testing the site to site option.
for icmp:
packet-tracer input <inside> icmp <local host> 8 0 <remote host> detailed
for tcp (based on your log):
packet-tracer input <inside> tcp 192.168.61.8 51583 192.168.60.5 11322 detailed
Regards,
Miguel
07-08-2016 12:25 AM
Thanks for your reply Miguel, this helped and although didn't wholly fix my problem was extremely helpful in pointing me in the right direction.
I had a lot of identity NAT rules on the same interface as I was using for backup, as well as a redundant NAT exemption on the interface that was my primary!
In summary, my NAT rules were a mess!
I removed the redundant NAT exemption rule, and added a new one for the backup VPN along with the 'route-lookup' suffix.
This fixed my problem immediately, and the route flipped back and forth when I shut/no shut my interface.
Many thanks for all your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide