Solved: IPSEC VPN with two outside interface

jdixon · ‎06-19-2017

We have two sites running ASA 5505x firewalls. The branch site only has one ISP while the main location has two. The problem is if the main location's primary internet fails, then it fails over to the backup internet but the VPN will never build (because the IP changed).

On the branch side I put the additional peer IP address but it still won't come up. Now I think it is due to there not being a connection profile for both interfaces (because the connection profile is bound to an interface and we have the "outside" interface as the primary and "windstream" interface as the backup).

So how can I set this up (using ASDM) so it will fail over to the backup interface/isp for the VPN tunnel and it can come back online? I can't create secondary connection profile using the IP address of the branch site because it can't have duplicate connection profiles. I also couldn't name the connection profile because my understanding with Ciscos is that would require the use of device certificates and not preshared keys.

dperezoquendo · ‎06-20-2017

Hello,

You shouldn't need a second connection profile on your main firewall. However, you need to enable crypto ikev1 and apply your crypto map to the second outside interface.

On the branch ASA, it appears what you and Marvin did should be fine. The branch side should have an additional tunnel-group for backup isp and the backup peer ip applied to the existing crypto map.

Other things you may need to verify.

same NAT statements for secondary outside interface as the primary outside interface
default route to gateway ip of secondary outside interface with AD of 254
connection types should be set to default bi-directional for the crypto maps

View solution in original post

Marvin Rhoads · ‎06-19-2017

Assuming you have backup routing in place for the site with two ISP connections, then you should be able to make it work.

When you define the crypto map used by the site-site VPN, there is a place to put one or more backup peer gateway(s) under "Peer Settings" when editing a crypto map.

See the screen shot below where I have used 1.1.1.1 and 2.2.2.2 as examples:

jdixon · ‎06-20-2017

That is what I did for the branch site but it still wouldn't build when the main location failed over to the Windstream connection. I noticed when I added that peer it added a new connection profile.

On the MAIN firewall the connection profile is bound to interface "outside" which is the Comcast circuit. So wouldn't there have to be a second connection profile to the branch location that is bound to the Windstream interface? Problem with doing that is you can't have two connection profiles with the same public IP address (branch side only has one internet)

dperezoquendo · ‎06-20-2017

Hello,

You shouldn't need a second connection profile on your main firewall. However, you need to enable crypto ikev1 and apply your crypto map to the second outside interface.

On the branch ASA, it appears what you and Marvin did should be fine. The branch side should have an additional tunnel-group for backup isp and the backup peer ip applied to the existing crypto map.

Other things you may need to verify.

same NAT statements for secondary outside interface as the primary outside interface
default route to gateway ip of secondary outside interface with AD of 254
connection types should be set to default bi-directional for the crypto maps

jdixon · ‎06-22-2017

That was it. It was missing the inside->Windstream interface NAT. Once I did that then traffic started working.