Re: ASA: Multihoming & VPN Failover

westenberg · ‎12-20-2010

Hallo,

we use a Cisco ASA 5505 (8.0(2)) with ASDM (6.0(2)) in a multihomed environment. Both outside interfaces have fixed, static IPs. In case of Internet line failure, I would like to switch our IPSec VPN tunnel from one line to the other one.

In ASDM, there is no way to change the local interface of a site-to-site VPN connection profile from one to the other one. You have to delete the profile and add a new one with the other interface.

Is there anyway to this in an smarter way?

Telnet is unfortunately no option.

Thank you.

Cheers.

Sven

trippi · ‎12-20-2010

You will need to setup two tunnels on the ASA, one on each interface.

You could use static floating routes/policy nat to chose between which interface.

westenberg · ‎12-21-2010

Hallo,

OK, I guess, I know what your idea is. Here is my current config:

tunnel-group [remotepeer] type ipsec-l2l
tunnel-group [remotepeer] ipsec-attributes
pre-shared-key *
isakmp keepalive disable

access-list outside_2_cryptomap extended permit ip [localinternal] 255.255.255.0 [remoteinternal] 255.255.255.0
access-list outside_1_cryptomap extended permit ip [localinternal] 255.255.255.0 [remoteinternal] 255.255.255.0

crypto map outside_1_map 1 match address outside_1_cryptomap
crypto map outside_1_map 1 set peer [remotepeer]
crypto map outside_1_map 1 set transform-set ESP-3DES-SHA
crypto map outside_1_map interface outside_1

crypto map outside_2_map2 1 match address outside_2_cryptomap
crypto map outside_2_map2 1 set peer [remotepeer]
crypto map outside_2_map2 1 set transform-set ESP-3DES-SHA
crypto map outside_2_map2 interface outside_2

route outside_1 0.0.0.0 0.0.0.0 [gateway_1] 1
route outside_2 [remotepeer] 255.255.255.255 [gateway_2] 1
route outside_2 [remoteinternal] 255.255.255.0 [gateway_2] 1

I have created one tunnel-group, but two sets of access-lists and crypto-maps for each interface. The specific routes are currently configured for the 2nd interface: One route for the public IP of the VPN peer and the other one for the internal remote subnet.

So, your proposal is either to change the two routes for interface outside_1 and [gateway_1] (OK, in this case just delete them...) or to add new routes for outside_1 and [gateway_1] with a lower metric (OK, in this case change metric of outside_2 to a higher value)? The changes of the static routes control the VPN connection?

I guess, there will be needed a manual config change each time the internet connection fails? The interface will remain up, because the next hop rarely has the problem. By the way, the remote peers config needs to be changed, too. So tracking or similiar ideas are no real solution...

Thank you
Sven

trippi · ‎12-21-2010

Sven,

The VPN config looks good.

Yes, the routing controls which VPN the traffic utilizes. You can use this same setup on the other end if an ASA or if an IOS device you could use Embedded Event Manager.

route outside_1 [remotepeer] 255.255.255.255 [gateway_1] track 1

route outside_1 [remoteinernal] 255.255.255.0 [gateway_1] track 1
route outside_2 [remotepeer] 255.255.255.255 [gateway_2] 220

route outside_2 [remoteinternal] 255.255.255.0 [gateway_2] 220

sla monitor 123
type echo protocol ipIcmpEcho [remotepeer] interface outside_1
num-packets 3
frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

westenberg · ‎12-22-2010

Hallo,

yes, that is the trick. VPN tunnel changes from one interface to the other one by changing the metric of the routes.

Route tracking would be fine, but unfortunately in this case, the remote VPN endpoint is no Cisco... but, please, do not tell anybody.

Thank you

Sven