10-29-2012 07:12 AM
Hi Guys,
we want to setup a vpn between our central asa5520 and a new branch office asa5505 with dynamic public ip.
This kind of configuration is supported but the tunnel can only be initiated from the remote asa (the central asa don't know how to reach the remote asa).
considererd that on this vpn will transit also voice traffic we need to keep the tunnel always up.
One solution would be to have a sort of continuos ping from the remote office to the central office... is there most "professional" wat to achieve our goal?
thank you.
Solved! Go to Solution.
10-30-2012 02:43 AM
try , "management-access inside" on asa and ping
10-29-2012 07:33 AM
Hello,
Why not configuring IP SLA on the remote ASA?
sla monitor 1
type echo protocol ipIcmpEcho <....Destination IP on the 5520 side> interface inside
sla monitor schedule 1 life forever start-time now
That would keep the SA up all the time [ Assuming the phones are behind the inside intf}
Cheers,,
10-29-2012 11:31 AM
Hello Olpeleri,
I set the sla as indicated by you, the internal lan on remote branch is 192.168.101.0/24 the internal lan on the central is 192.168.20.0/20
These is the config ont the remote asa:
"sla monitor 1
type echo protocol ipIcmpEcho 192.168.20.1 interface inside
sla monitor schedule 1 life forever start-time now"
The command have been accepted (see below) but how can I understand if it's working?
I don't think so, If I try to simply ping from the asa in the remote branch to the central one I get the following error
"Routing failed to locate next-hop for protocol from NP Identity Ifc:192.168.101.11 /0 to inside: 192.168.20.1/0"
Any idea?
Thank you.
"
sla monitor 1
type echo protocol ipIcmpEcho 192.168.20.1 interface inside
sla monitor schedule 1 life forever start-time now
"
192.168.
10-29-2012 11:05 PM
Hello,
2 commands can be used to check if it works or not.
sh sla monitor operational-state
sh sla monitor config
10-30-2012 01:18 AM
Hello,
from the output the ping is not working.
Entry number: 1
Modification time: 18:25:05.584 CEST Mon Oct 29 2012
Number of Octets Used by this Entry: 1480
Number of operations attempted: 867
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 08:51:05.587 CEST Tue Oct 30 2012
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0 RTTMin: 0 RTTMax: 0
NumOfRTT: 0 RTTSum: 0 RTTSum2: 0
A client on the internal network on the remote asa can reach through the tunnel vpn the central internal network but if I try to ping from the asa itself using the internal network as source ping do not work and I get a routing error message
"Routing failed to locate next-hop for icmp from
NP Identity Ifc:192.168.101.1 /0 to inside: 192.168.20.1/0"
It seems that the asa can't find the route on the internal network to the remote network, in effect there's no route but simply the crypto map should recognize this kind of traffic and tunnel it.
What should I do in order to let the ping from the asa itself be tunneled in to the vpn?
10-30-2012 02:43 AM
try , "management-access inside" on asa and ping
10-30-2012 02:51 AM
Hi Ali,
ping is working! tx
ping
TCP Ping [n]:
Interface: inside
Target IP address: 192.168.20.1
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/40 ms
but the ip sla configure is not working.
Configuration:
sla monitor 1
type echo protocol ipIcmpEcho 192.168.20.1 interface inside
sla monitor schedule 1 life forever start-time now
sh sla monitor operational-state
Entry number: 1
Modification time: 10:33:26.253 CEST Tue Oct 30 2012
Number of Octets Used by this Entry: 1480
Number of operations attempted: 18
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 10:49:26.256 CEST Tue Oct 30 2012
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0 RTTMin: 0 RTTMax: 0
NumOfRTT: 0 RTTSum: 0 RTTSum2: 0
Any idea why?
10-30-2012 02:53 AM
change"
type echo protocol ipIcmpEcho 192.168.20.1 interface inside"
to
type echo protocol ipIcmpEcho 192.168.20.1 interface outside , if ur central asa in on outside zone , so it should be like following :-
sla monitor 1
type echo protocol ipIcmpEcho 192.168.20.1 interface outside
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
Message was edited by: Riyasat Ali
10-30-2012 03:00 AM
I try to change to the outside interface but it's still not working.
sla monitor 1
type echo protocol ipIcmpEcho 192.168.20.1 interface outside
sla monitor schedule 1 life forever start-time now
but I thinks it's normal, If I want to keep the tunnel up I need to generate traffic inside it so from the inside network to the inside network on the central pix (192.168.20.1).
10-30-2012 03:02 AM
for ip sla traffic doesnot initiates from inside, it initiates from firewall .and we specify interface because we want to go to that desination ip from that interface only.
10-30-2012 03:04 AM
so it does it mean that is not possible to generate traffic from the asa itself to keep the vpn always up?
10-30-2012 03:10 AM
when we configure ip sla, it means that we want traffic initiate from firewall itselfs to a specific zone like outside not from any particular zone to zone.
so, yes it is possible and it should work if ip sla has been configured in right way. check the following:-
sla monitor 1
type echo protocol ipIcmpEcho 192.168.20.1 interface outside
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability
route outside 192.168.20.0 255.255.255.0 x.y.z.a 1 track 1
10-30-2012 03:36 AM
I was hoping it would work [ it's working on a Cisco IOS router ].
Do you have any managed switch on the LAN side where you could have IP SLA running?
That would be the solution
10-30-2012 03:39 AM
unfortunately it's a small office and they don't have managed switches.
but I found another solution on the web.
I setup an the remote asa to synch the ntp server with a server on the central network using the internal interface and the tunnel stay up.
thank you to everybody.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: