Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1346
Views
0
Helpful
2
Replies

Backup IPsec VPN with 2 ISPs on one router to single endpoint

Go to solution
Jeffrey Warn
Level 1
Level 1

‎06-07-2010 11:42 AM - edited ‎02-21-2020 04:41 PM

I have the following configuration setup:

Cisco 1811 (Client Router)

Fa0 - Internal Network 192.168.0.0/24

Fa1 - Primary ISP connection, we'll call it 1.1.1.1

Fa2 - Vlan 800

Vlan 800 - Secondary ISP connection, we'll call it 2.2.2.2

ASA 5580 running 8.2

Outside interface we'll call 3.3.3.3

crypto map 5 set peer 1.1.1.1 2.2.2.2

crypto map 5 match address test_network

I have a tunnel-group defined for both 1.1.1.1 and 2.2.2.2

Now for the issue. I have the 1811 setup with SLA tracking. I use a default route-map to make sure that the ICMP goes out of Fa1 at all times and I track the default route with this. I have a floating weighted 250 default route pointing to the backup ISP.

While both networks are reachable, I can create the tunnel using the primary ISP to 3.3.3.3 (from 1.1.1.1). I can ping across the tunnel without issue. I can then simulate an outage of the primary ISP and the secondary route will kick in. I ping across the tunnel again, and on the ASA I can see a new ISAKMP connection has been established. Looking on the 1811, I see (2) QM_IDLE isakmp connections.

While the primary link is down, I can still ping across the tunnel without issue. The primary isakmp session on the 1811 never drops off but on the ASA it does in fact get removed. The ASA only has an established connection to 2.2.2.2. Once the primary link recovers and the default route is back out the primary ISP connection, the tunnel never recovers. The ASA appears to think that the secondary ISP is the active connection still and the routing doesn't work across the tunnel because the 1811 is trying to send data out the primary ISP.

Is there a way to do the following:

- When the primary ISP goes down on the 1811, the established tunnel is dropped

- When the primary ISP comes back up on the 1811,  the ASA can re-establish the connection using the primary link (or the backup tunnel on the 1811 is disconnected)?

Is this even possible to do on a single router (2 ISP links) or can it only be done using 2 routers?


Let me know if I need to explain a bit better or if any configuration details are needed.

Thanks!

Jeff

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎06-07-2010 11:53 AM

Jeffrey,

By having IP SLA tracking on the 1811, as soon as the tracking is down, the second tunnel should establish. (this also means that by enabling keepalives on both ends they should notice that the primary tunnel is not active and bring it down on both ends).

The keepalives will constantly monitor the other peer's health, so this should help you for both questions.

Federico.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎06-07-2010 11:53 AM

Jeffrey,

By having IP SLA tracking on the 1811, as soon as the tracking is down, the second tunnel should establish. (this also means that by enabling keepalives on both ends they should notice that the primary tunnel is not active and bring it down on both ends).

The keepalives will constantly monitor the other peer's health, so this should help you for both questions.

Federico.

0 Helpful

Go to solution
Jeffrey Warn
Level 1
Level 1
In response to Federico Coto Fajardo

‎06-07-2010 12:19 PM

Thanks. I didn't have the proper keepalive set on the 1811. I switched it from on-demand to periodic and it seemed to work.

Thanks for your quick reply!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents