01-09-2017 10:53 AM - edited 02-21-2020 09:07 PM
Hi There,
I am trying to configure Single ASA / Dual ISP IPSEC L2L VPN fail-over using static routing + IP SLA + tracking.
Corporate ASA is 5512 (v9.5(2)5) with dual ISP connections. Branch office ASA is 5506 (v9.5(2)5) with single ISP connection.
WHAT WORKS:
- Corp and Branch ASA: IPSEC L2L VPN over Primary ISP (FIOS)
- Corp ASA: IP SLA + tracking detection of Primary ISP fail-state and routing over Backup ISP (BHN)
- Corp and Branch ASA: DPD + IKEv1 Initiation of successful Phase 1 and Phase 2 over Backup ISP
WHAT FAILS (After simulating fail-state by physically pulling Primary (FIOS) ISP cable):
- Corp ASA: Immediately after "PHASE 2 COMPLETED" on Backup (BHN), debug shows "Attempting to establish a phase2 tunnel on FIOS interface but phase1 tunnel is on BHN interface. Tearing down old phase1 tunnel due to a potential routing change."
I have read thru Oleg Tipisov's PDF entitled "Building Fault-tolerant Site-to-Site VPNs with Cisco ASA" which address bug-fix "CSCsz04730" but the context is different... in this case DPD is disabled.
Attached are debugs captures on both Corp and Branch ASA's.
Thank you for any assistance.
-mdy
Solved! Go to Solution.
01-10-2017 04:11 PM
Looks like you are missing the "route-lookup" keyword in the identity NAT (NAT exempt). This might be causing the traffic to be diverted to the primary interface rather than the backup interface. You want the ASA to use the routing table to find the egress interface rather than NAT in this case. More on how the ASA determines the egress interface is here:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html#92034
Try adding the "route-lookup" keyword at the end of all the identity nat statements and see if it helps.
01-09-2017 04:08 PM
Do you have a specific route to the remote network or just a default route that is failing over? One possible scenario that I can think of is that the route to the public network does not failover - causing traffic to trigger tunnel on the original interface after the default routes shift over. This can happen if the track command is missing on the specific routes. Can you run a packet-tracer immediately the tunnel is established on backup interface to verify?
01-09-2017 04:53 PM
Hello,
Post sanitized configs from both ASAs .
Thx
MS
01-10-2017 07:24 AM
01-10-2017 04:11 PM
Looks like you are missing the "route-lookup" keyword in the identity NAT (NAT exempt). This might be causing the traffic to be diverted to the primary interface rather than the backup interface. You want the ASA to use the routing table to find the egress interface rather than NAT in this case. More on how the ASA determines the egress interface is here:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html#92034
Try adding the "route-lookup" keyword at the end of all the identity nat statements and see if it helps.
01-11-2017 04:48 AM
Thx Rahul
-mdy
01-10-2017 07:22 AM
Thx for ideas... I have track commands on primary and high AD on backup...
route PRIMARY 0.0.0.0 0.0.0.0 x.x.x.1 1 track 1
route PRIMARY 192.168.5.0 255.255.255.0 x.x.x.1 1 track 1
route PRIMARY 172.16.61.0 255.255.255.0 x.x.x.1 1 track 1
route BACKUP 0.0.0.0 0.0.0.0 x.x.x.161 254
route BACKUP 192.168.5.0 255.255.255.0 x.x.x.161 254
route BACKUP 172.16.61.0 255.255.255.0 x.x.x.161 254
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide