Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
897
Views
0
Helpful
11
Replies

Failover VPN problem...

wilann0001
Level 1
Level 1

‎03-18-2013 10:36 AM

I am hoping to get some help with an ongoing problem I have been having regarding a l2l VPN connection between our ASA 5510 and a client's ASA 5505. The client's main ISP is Comcast and he uses a secondary AT&T internet connection as a failover. When Comcast goes down, AT&T comes up and everything works great...except for the VPN to our ASA5510. I have not been able to get the VPN connection to work on the failover network. I have set up a separate, "Backup_WAN", interface in the firewall for AT&T. All of the same rules are in place for AT&T as there are for the primary Comcast connection (the VPN for Comcast works just fine) but I still cannot get the VPN to work with the failover.

What am I missing? Does anyone have any idea why the VPN would not be working? Any and all help would be greatly appreciated as this has been an unresolved issue since late 2012. Thanks so much in advance.

Labels:
0 Helpful
11 Replies 11

Javier Portuguez
Level 9
Level 9

‎03-18-2013 11:16 AM

Dear William,

Have you checked this link:

ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example

Besides the routing changes, you need to enable ISAKMP and the crypto map on both interfaces.

I would recommend to use to different crypto maps on the ASA which has two Internet connections.

HTH.

0 Helpful

wilann0001
Level 1
Level 1
In response to Javier Portuguez

‎03-18-2013 01:15 PM

Thank you for your quick reply.

I had seen that link before and I have successfully set up everything except for the VPN. The internet and email both failover just fine, the VPN is the problem. ISAKMP is enabled on both the outside and the backup interfaces and I have separate crypto map entries for each interface.

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to wilann0001

‎03-18-2013 01:19 PM

William,

Please run debugs to understand the issue:

     debug crypto ikev1 190

     debug crypto ipsec 190

*In case you are running 8.3 or 8.2:

     debug crypto isakmp 190

Thanks.

0 Helpful

wilann0001
Level 1
Level 1
In response to Javier Portuguez

‎03-18-2013 01:29 PM

Sorry for the dumb question, but where do I run those debug commands? When I try from CLI I get the message, "Debug Commands not supported in CLI"...

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to wilann0001

‎03-18-2013 01:31 PM

No worries.

Are you trying these commands on the ASA?

Thanks.

0 Helpful

wilann0001
Level 1
Level 1
In response to Javier Portuguez

‎03-18-2013 01:33 PM

Yes on the ASA through Command Line Interface.

Edit: Using ASDM

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to wilann0001

‎03-18-2013 01:35 PM

That's the reason why, you need connect to the ASA via SSH or Telnet.

You could use Putty or any other terminal client.

PIX/ASA 7.x: SSH/Telnet on the Inside and Outside Interface Configuration Example

HTH.

0 Helpful

wilann0001
Level 1
Level 1
In response to Javier Portuguez

‎03-18-2013 01:52 PM

Thanks for your help. I have connected to the ASA through Putty and am typing the command

debug crypto ikev1 190 and keep receiving the error below.

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to wilann0001

‎03-18-2013 01:54 PM

Type in "enable", hit enter and then issue the command.

Thanks.

0 Helpful

wilann0001
Level 1
Level 1
In response to Javier Portuguez

‎03-18-2013 02:03 PM

Thank you, I figured it was just something simple like that.

There is quite a bit of output from the debug command, is there anything in particular that I should be looking for?

0 Helpful

wilann0001
Level 1
Level 1
In response to wilann0001

‎03-20-2013 07:09 AM

Does anyone have any suggestions as to how I can get this failover VPN to work?

Thank you

0 Helpful
Customers Also Viewed These Support Documents