Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1051
Views
5
Helpful
6
Replies

Can I Weight IPSec Tunnels Between ASAs

Go to solution
Doug Engel
Level 1
Level 1

‎05-06-2015 08:59 AM - edited ‎02-21-2020 08:13 PM

Hello

 

Remote Site: NYC 150 Mb/sec internet link

Local Site: Baltimore 400 Mb/sec internet link

Backup Site: Washington 200 Mb/sec internet link

 

My main site and my backup site are connected via a gigabit Ethernet circuit between the respective site core switches.  Each site has their own internet link and OSPF allows my users to fail over their internet traffic to the backup site if the main site internet is down.  We are opening an office in NYC with a single ASA connected to 150Mb/sec FIOS internet circuit.  We want to implement an IPSec tunnel from the main site and the backup site to the remote site, but would like the remote site to prefer the tunnel to Baltimore unless it is down.

 

The interesting traffic would be the same for both tunnels

 

I know ASA cannot be a GRE endpoint.  How can I force the traffic from NYC through the Baltimore tunnel as long as it is functioning?  Can an IPSec tunnel be weighted?

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-06-2015 09:36 AM

It's not weighting per se, but you can create up to 10 backup peers on LAN to LAN IPsec VPNs.

For each tunnel, the security appliance attempts to negotiate with the first peer in the list. If that peer does not respond, the security appliance works its way down the list until either a peer responds or there are no more peers in the list.

Reference.

View solution in original post

6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-06-2015 09:36 AM

It's not weighting per se, but you can create up to 10 backup peers on LAN to LAN IPsec VPNs.

For each tunnel, the security appliance attempts to negotiate with the first peer in the list. If that peer does not respond, the security appliance works its way down the list until either a peer responds or there are no more peers in the list.

Reference.

Go to solution
Doug Engel
Level 1
Level 1
In response to Marvin Rhoads

‎05-06-2015 10:03 AM

Thanks for the information.  That looks very promising.  Thanks!

 

 

0 Helpful

Go to solution
Doug Engel
Level 1
Level 1
In response to Marvin Rhoads

‎05-07-2015 08:49 AM

So I added the second peer to the NYC ASA and created the peer on the Baltimore ASA, but the NYC will not associate with the Baltimore ASA.  The Baltimore peer was created exactly as the Washington peer.  Thanks

The Baltimore ASA shows these errors

 

4 May 07 2015 11:22:23 Group = x.x.x.x, IP = x.x.x.x, Can't find a valid tunnel group, aborting...!
5 May 07 2015 11:22:23 Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
5 May 07 2015 11:22:23 Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5 May 07 2015 11:22:23 Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5 May 07 2015 11:22:23 Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
5 May 07 2015 11:22:23 Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5 May 07 2015 11:22:23 Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
 
 
 
  
  
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Doug Engel

‎05-07-2015 04:01 PM

It looks like your Baltimore ASA isn't finding a common Phase 1 proposal in common with NYC.

Each end should have a common policy - something like this:

crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2

(may be crypto ikev1 or ikev2 policy if you have newer code)

In any case, they have to have matching proposals to establish Phase 1 of the the IPsec tunnel. Yours don't appear to have matching Diffie-Hellman group identifiers (2 vs. 5 in the log).

Reference.

0 Helpful

Go to solution
Doug Engel
Level 1
Level 1
In response to Marvin Rhoads

‎05-08-2015 08:11 AM

OK, so I kind of dropped back and punted.  I created the profiles by hand, not wizard, and got tunnels up to both sites, but I had to use individual profiles and crypto maps.

 

For example, I created a policy for both Baltimore and Washington on the NYC ASA and a tunnel was established to whichever crypto map has the highest priority, but not both.  I then went into the Baltimore crypto map and added the Washington IP address.  The tunnel remained established.  When I went into the crypto map and moved Washington to the top of the list, it builds a tunnel to Washington, but I only have traffic going from Washington to NYC, there is no traffic going from NYC to Washington.

 

Argh......

 

Thanks

 

 

 

0 Helpful

Go to solution
Doug Engel
Level 1
Level 1
In response to Marvin Rhoads

‎05-15-2015 08:38 AM

I got TAC involved and they set me completely straight.

 

Rather than build a profile for each peer, I should have built a tunnel group for each peer and then added both peers to the same crypto map.

 

This is on me not ever setting up IPSec in an ASA.

 

Thanks again

0 Helpful
Customers Also Viewed These Support Documents