Solved: Dynamic Routing for Failover L2L VPN

paulstone80 · ‎05-30-2012

Hi,

Can someone offer me some guidance with this issue please?

I've attached a simple diagram of our WAN for reference.

Overview

Firewall is ASA 5510 running 8.4(9)
Core network at Head Office uses OSPF
Static routes on ASA are redistributed into OSPF
Static routes on ASA for VPN are redistributed into OSPF with Metric of 130 so redistributed BGP routes are preferred
Core network has a static route of 10.0.0.0/8 to Corporate WAN, which is redistributed into OSPF
Branch Office WAN uses BGP - Routes are redistributed into OSPF
The routers at the Branch Office use VRRP for IP redundancy for the local clients default gateway.
Primary Branch Office router will pass off VRRP IP to backup router when the WAN interface is down
Backup BO router (.253) only contains a default route to internet
Under normal operation, traffic to/from BO uses Local Branch Office WAN
If local BO WAN link fails, traffic to/from BO uses IPSec VPN across public internet

I'm trying to configure dynamic routing on our network for when a branch office fails over to the IPsec VPN. What I would like to happen (not sure if it's possible) is for the ASA to advertise the subnet at the remote end of the VPN back into OSPF at the Head Office.

I've managed to get this to work using RRI, but for some reason the VPN stays up all the time when we're not in a failover scenario. This causes the ASA to add the remote subnet into it's routing table as a Static route, and not use the route advertised from OSPF from the core network. This prevents clients at the BO from accessing the Internet. If I remove the RRI setting on the VPN, the ASA learns the route to the subnet via the BO WAN - normal operation is resumed.

I have configured the metric of the static routes that get redistributed into OSPF by the ASA to be higher than 110. This is so that the routes redistributed by BGP from the BO WAN into OSPF, are preferred. The idea being, that when the WAN link is available again, the routing changes automatically and the site fails back to the BO WAN.

I suppose what I need to know is; Is this design feasible, and if so where am I going wrong?

Thanks,

Paul

HTH Paul ****Please rate useful posts****

rizwanr74 · ‎05-31-2012

Hi Paul,

your ASA keeps the tunnel alive only because that route exists on ASA. Therefore you have to use IP-SLA on ASA to push network taffic "10.10.10.0/24" based on the echo-reply, by using IP-SLA

Please look at example below, in the example below shows the traffic will flow via the tunnel, only in the event the ASA cannot reach network 10.10.10.0/24 via HQ internal network.

This config will go on ASA,

route inside 10.10.10.0 255.255.2550 10.0.0.2 track 10

(assuming 10.0.0.2 the peering ip of inside ip address of router at HO)

route outside 10.10.10.0 255.255.255.0 254 xxx.xxx.xxx.xxx

(value 254 is higher cost of the route to go via IPSec tunnel and x = to default-gateway of ISP)

sla monitor 99

type echo protocol ipIcmpEcho 10.10.10.254 interface inside

num-packets 3

frequency 10

sla monitor schedule 99 life forever start-time now

track 10 rtr 99 reachability

Let me know, if this helps.

thanks

Rizwan Rafeek

View solution in original post

rizwanr74 · ‎05-30-2012

HI Paul,

What kind of switch you are running on Branch office segment 10.10.10/24 ?

Look forward to hear from you.

thanks

paulstone80 · ‎05-30-2012

Hi Rizwanr74,

The switch is just a simple HP Layer 2 switch.

Kind regards,

Paul

HTH Paul ****Please rate useful posts****

rizwanr74 · ‎05-31-2012

What kind of devices are at .254 and .253 ?

If those two devices are Cisco routers, then you can introduce IP-SLA to failover and fail back to primary WAN.

Take a look at thread below.

https://supportforums.cisco.com/thread/2034251

Let me know, if this helps

Thanks

Rizwan Rafeek

paulstone80 · ‎05-31-2012

Hi Rizwan,

We already have that in place at the Branch Office using VRRP and ip tracking on the primary router.

The issue is with how to advertise the route to 10.10.10.0/24 via VPN, into OSPF at Head Office, when the Branch Office WAN is down.

I tried using RRI so the ASA advertises routes connected via VPN as Static routes, but the VPN tunnel remains UP even when we are not in a failover scenario. This causes the ASA to route traffic to 10.10.10.0/24 over the VPN, instead of back into the Core and out via the Branch Office WAN.

I hope that makes sense?

Thanks,

Paul

HTH Paul ****Please rate useful posts****

rizwanr74 · ‎05-31-2012

Hi Paul,

your ASA keeps the tunnel alive only because that route exists on ASA. Therefore you have to use IP-SLA on ASA to push network taffic "10.10.10.0/24" based on the echo-reply, by using IP-SLA

Please look at example below, in the example below shows the traffic will flow via the tunnel, only in the event the ASA cannot reach network 10.10.10.0/24 via HQ internal network.

This config will go on ASA,

route inside 10.10.10.0 255.255.2550 10.0.0.2 track 10

(assuming 10.0.0.2 the peering ip of inside ip address of router at HO)

route outside 10.10.10.0 255.255.255.0 254 xxx.xxx.xxx.xxx

(value 254 is higher cost of the route to go via IPSec tunnel and x = to default-gateway of ISP)

sla monitor 99

type echo protocol ipIcmpEcho 10.10.10.254 interface inside

num-packets 3

frequency 10

sla monitor schedule 99 life forever start-time now

track 10 rtr 99 reachability

Let me know, if this helps.

thanks

Rizwan Rafeek

paulstone80 · ‎06-01-2012

Hi Rizwan,

That sounds like it would work. I'll have a test out of hours and let you know how i get on.

Thanks for your help,

Paul

HTH Paul ****Please rate useful posts****

paulstone80 · ‎06-11-2012

Hi Rizwan,

I have tested this and it works.

I have to target the BO router WAN interface IP for the SLA ping, rather than the LAN IP, but other than that the concept works.

Thanks for your help.

Paul

HTH Paul ****Please rate useful posts****