Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
8154
Views
15
Helpful
16
Replies

ASA IPSec VPN with two active ISP

Go to solution
antonkupriyanov
Level 1
Level 1

‎06-17-2014 06:55 AM - edited ‎02-21-2020 07:41 PM

Hi to ALL!

I have one question.

So, I have ASA with 9.2(1) SW connected to ISP with SLA enabled. 

I need to configure redundant IPSec VPN via ISP2, while all other traffic should pass through ISP1. In case if one of ISP goes down all traffic including VPN should be routed via alive ISP.

I have SLA configured and it works.

ciscoasa# show run route
route isp1 0.0.0.0 0.0.0.0 10.175.2.5 5 track 1
route isp2 0.0.0.0 0.0.0.0 10.175.3.5 10 track 2
route isp2 172.22.10.5 255.255.255.255 10.175.3.5 1 track 2

Here we can see if ISP1 and ISP2 are UP, all traffic is routed via ISP1, but traffic destined to IPSec remote peer 172.22.10.5 is routed via ISP2.

This configuration works just when isp1 or isp2 is down or if static route to host 172.22.10.5 removed. In case two ISPs are up ASA doesn't send any IPSec packets to remote side.

 

ciscoasa# show run nat
nat (inside,isp2) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp route-lookup
nat (inside,isp1) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp route-lookup

 

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map cm_vpnc 10 match address acl_vpn
crypto map cm_vpnc 10 set pfs
crypto map cm_vpnc 10 set peer 172.22.10.5
crypto map cm_vpnc 10 set ikev1 transform-set ESP-AES-256-SHA
crypto map cm_vpnc 10 set security-association lifetime seconds 86400
crypto map cm_vpnc interface isp1
crypto map cm_vpnc interface isp2
crypto ca trustpool policy
crypto ikev1 enable isp1
crypto ikev1 enable isp2
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

 

ciscoasa# show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 192.168.2.1     255.255.255.0   CONFIG
Vlan2                    isp1                   10.175.2.10     255.255.255.0   CONFIG
Vlan3                    isp2                   10.175.3.10     255.255.255.0   CONFIG

 

The main question why?

Thank you in advance,

Anton

 

 

 

 

 

1 person had this problem
Labels:
0 Helpful
16 Replies 16

Go to solution
antonkupriyanov
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎06-17-2014 12:42 PM

Hi Sandy,

What is the connection between my problem and RRI? 

BTW:

ciscoasa(config)# crypto map cm_vpnc 10 set reverse-route
ERROR: Crypto map associated with multiple interfaces. Cannot enable rri

 

I made one test... And now I'm totally confused.

If I save configuration and reboot device after each condition change it works. For example, if I reboot device with both interfaces in "no shutdown" state it will work after reboot. If I reboot device with any interface in "shutdown" it will work after reboot. All I need to do is reboot. But it doesn't work after condition change without reboot... 

clear crypro isakmp doesn't help. just reboot.

OK.. As i said, i making tests on my 5505. 

So, I configured 5512 with totally the same VPN-related configuration and... it works without rebooting... 

And now i wonder why it doesn't work on 5505 in my lab, but does work on 5512... Devices has the same SW version... 

 

Anton

 

 

0 Helpful

Go to solution
Petr Solovev
Level 1
Level 1

‎02-22-2019 12:30 AM - edited ‎02-22-2019 12:32 AM

Hi.

I've found solution. It' a workaround, and it looks really stupid.

 

So, we found that the ASA incorrectly determines the outgoing interface. Probably because it does not compare metrics (Bug?).
The idea is to remove the default route completely on backup interface, while the main ISP is active.
On the IOS-router, this would be a boolean track with the condition "not", but the ASA does not support this.

Also we does not have full eem support.


We need to make such situation so that the track associated with the backup ISP route would be in a down state while main provider is active. On the ASA, this is difficult, because routes are "tied" to interfaces.

 

My solution is (tricky part):

 

! Assume that isp2-main isp, isp1-backup isp

 

route isp2 0.0.0.0 0.0.0.0 M.M.M.M 100 track 2
route isp1 0.0.0.0 0.0.0.0 B.B.B.B 150 track 3

route isp1 1.0.0.1 255.255.255.255 D.D.D.D 10 track 2   //D.D.D.D - dummy directly connected gateway, no any real host on this IP!
route isp1 1.0.0.1 255.255.255.255 B.B.B.B 50 //normal route

!
 type echo protocol ipIcmpEcho M.M.M.M interface isp2
 num-packets 3
 frequency 10
sla schedule 2 life forever start-time now

!

sla monitor 3
 type echo protocol ipIcmpEcho 1.0.0.1 interface isp1
 num-packets 3
 frequency 10
sla schedule 3 life forever start-time now

 

In scheme above track 3 is down while dummy route exist. When track 2 goes down dummy route is removed, so normal route to 1.0.0.1 become active, now track 3 goes up and activates backup route.

 

!D.D.D.D - dummy gateway, no any real host on this IP!
!M.M.M.M - real MAIN ISP gateway

!B.B.B.B - real BACKUP ISP gatewaysla monitor 2

 

The lack of method - we can no longer process traffic on the backup interface. But, probably, this can be solved by modifying this scheme, with the idea about the route absence. 

Customers Also Viewed These Support Documents
Top