cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
537
Views
0
Helpful
2
Replies
Highlighted
Beginner

ASA - Create a backup route via VPN

I have a normal (non-VPN) point-to-point link between 2x ASAs, and I'd like to create a backup link using a VPN across our Corporate network cloud. I've tried to do this, following Cisco example configs but the VPN is not coming up when the tracked route goes down.

NB. this is not a default route, just a route to a single /27.

Here's the sla/track configs (I am confident with the VPN config, so haven't included it here):

FW1

route inter-site 192.168.61.0 255.255.255.224 10.20.30.3 1 track 1
route corp-outside 0.0.0.0 0.0.0.0 10.92.215.225 1
route corp-outside 192.168.61.0 255.255.255.224 10.92.215.225 100

sla monitor 100
 type echo protocol ipIcmpEcho 10.20.30.3 interface inter-site
 num-packets 3
 frequency 10

sla monitor schedule 100 life forever start-time now

track 1 rtr 100 reachability

FW2

route inter-site 192.168.60.0 255.255.255.224 10.20.30.1 1 track 1
route corp-outside 0.0.0.0 0.0.0.0 10.72.215.225 1
route corp-outside 192.168.60.0 255.255.255.224 10.72.215.225 100

sla monitor 100
 type echo protocol ipIcmpEcho 10.20.30.1 interface inter-site
 num-packets 3
 frequency 10

sla monitor schedule 100 life forever start-time now

track 1 rtr 100 reachability

When I shutdown one of the sides tracked interface, the tracked route is removed from the routing table and replaced by the backup route via the corp-outside interface.

However, the VPN does not come up and I see lots of:

Routing failed to locate next hop for TCP from prod-inside:192.168.61.8/51583 to inter-site:192.168.60.5/11322

...errors in the logs. You can see that packets are still trying to be sent to the inter-site interface which is no longer in the routing table.

Any help appreciated

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Hello Handsy,

Just for curiosity, asuming that you are NATing the traffic pointing to the internet to a public IP, when creating the nat exemption for the site to site did you use the "route-lookup" command?

Example for the nat exemption:

nat (inside,outside) source static Local-Lan Local-Lan destination static Remote-Lan Remote-Lan no-proxy-arp route-lookup.

The route-lookup command should make the packet to look into the routing table first before performing the nat and hence to follow the correct path. 

If you could run a Packet-tracer command to check the path followed by the traffic while testing the site to site option.

for icmp:

packet-tracer input <inside> icmp <local host> 8 0 <remote host> detailed

for tcp (based on your log):

packet-tracer input <inside> tcp 192.168.61.8 51583 192.168.60.5 11322 detailed

Regards,

Miguel

View solution in original post

2 REPLIES 2
Highlighted
Beginner

Hello Handsy,

Just for curiosity, asuming that you are NATing the traffic pointing to the internet to a public IP, when creating the nat exemption for the site to site did you use the "route-lookup" command?

Example for the nat exemption:

nat (inside,outside) source static Local-Lan Local-Lan destination static Remote-Lan Remote-Lan no-proxy-arp route-lookup.

The route-lookup command should make the packet to look into the routing table first before performing the nat and hence to follow the correct path. 

If you could run a Packet-tracer command to check the path followed by the traffic while testing the site to site option.

for icmp:

packet-tracer input <inside> icmp <local host> 8 0 <remote host> detailed

for tcp (based on your log):

packet-tracer input <inside> tcp 192.168.61.8 51583 192.168.60.5 11322 detailed

Regards,

Miguel

View solution in original post

Highlighted

Thanks for your reply Miguel, this helped and although didn't wholly fix my problem was extremely helpful in pointing me in the right direction.

I had a lot of identity NAT rules on the same interface as I was using for backup, as well as a redundant NAT exemption on the interface that was my primary!
In summary, my NAT rules were a mess!

I removed the redundant NAT exemption rule, and added a new one for the backup VPN along with the 'route-lookup' suffix.

This fixed my problem immediately, and the route flipped back and forth when I shut/no shut my interface.

Many thanks for all your help.