03-18-2013 10:36 AM
I am hoping to get some help with an ongoing problem I have been having regarding a l2l VPN connection between our ASA 5510 and a client's ASA 5505. The client's main ISP is Comcast and he uses a secondary AT&T internet connection as a failover. When Comcast goes down, AT&T comes up and everything works great...except for the VPN to our ASA5510. I have not been able to get the VPN connection to work on the failover network. I have set up a separate, "Backup_WAN", interface in the firewall for AT&T. All of the same rules are in place for AT&T as there are for the primary Comcast connection (the VPN for Comcast works just fine) but I still cannot get the VPN to work with the failover.
What am I missing? Does anyone have any idea why the VPN would not be working? Any and all help would be greatly appreciated as this has been an unresolved issue since late 2012. Thanks so much in advance.
03-18-2013 11:16 AM
Dear William,
Have you checked this link:
ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example
Besides the routing changes, you need to enable ISAKMP and the crypto map on both interfaces.
I would recommend to use to different crypto maps on the ASA which has two Internet connections.
HTH.
03-18-2013 01:15 PM
Thank you for your quick reply.
I had seen that link before and I have successfully set up everything except for the VPN. The internet and email both failover just fine, the VPN is the problem. ISAKMP is enabled on both the outside and the backup interfaces and I have separate crypto map entries for each interface.
03-18-2013 01:19 PM
William,
Please run debugs to understand the issue:
debug crypto ikev1 190
debug crypto ipsec 190
*In case you are running 8.3 or 8.2:
debug crypto isakmp 190
Thanks.
03-18-2013 01:29 PM
Sorry for the dumb question, but where do I run those debug commands? When I try from CLI I get the message, "Debug Commands not supported in CLI"...
03-18-2013 01:31 PM
No worries.
Are you trying these commands on the ASA?
Thanks.
03-18-2013 01:33 PM
Yes on the ASA through Command Line Interface.
Edit: Using ASDM
03-18-2013 01:35 PM
That's the reason why, you need connect to the ASA via SSH or Telnet.
You could use Putty or any other terminal client.
PIX/ASA 7.x: SSH/Telnet on the Inside and Outside Interface Configuration Example
HTH.
03-18-2013 01:52 PM
Thanks for your help. I have connected to the ASA through Putty and am typing the command
debug crypto ikev1 190 and keep receiving the error below.
03-18-2013 01:54 PM
Type in "enable", hit enter and then issue the command.
Thanks.
03-18-2013 02:03 PM
Thank you, I figured it was just something simple like that.
There is quite a bit of output from the debug command, is there anything in particular that I should be looking for?
03-20-2013 07:09 AM
Does anyone have any suggestions as to how I can get this failover VPN to work?
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide