Solved: L2L IPSEC Failover - Software Bug?

mikedeyoung · ‎01-09-2017

Hi There,

I am trying to configure Single ASA / Dual ISP IPSEC L2L VPN fail-over using static routing + IP SLA + tracking.

Corporate ASA is 5512 (v9.5(2)5) with dual ISP connections. Branch office ASA is 5506 (v9.5(2)5) with single ISP connection.

WHAT WORKS:

- Corp and Branch ASA: IPSEC L2L VPN over Primary ISP (FIOS)

- Corp ASA: IP SLA + tracking detection of Primary ISP fail-state and routing over Backup ISP (BHN)

- Corp and Branch ASA: DPD + IKEv1 Initiation of successful Phase 1 and Phase 2 over Backup ISP

WHAT FAILS (After simulating fail-state by physically pulling Primary (FIOS) ISP cable):

- Corp ASA: Immediately after "PHASE 2 COMPLETED" on Backup (BHN), debug shows "Attempting to establish a phase2 tunnel on FIOS interface but phase1 tunnel is on BHN interface. Tearing down old phase1 tunnel due to a potential routing change."

I have read thru Oleg Tipisov's PDF entitled "Building Fault-tolerant Site-to-Site VPNs with Cisco ASA" which address bug-fix "CSCsz04730" but the context is different... in this case DPD is disabled.

Attached are debugs captures on both Corp and Branch ASA's.

Thank you for any assistance.

-mdy

Rahul Govindan · ‎01-10-2017

Looks like you are missing the "route-lookup" keyword in the identity NAT (NAT exempt). This might be causing the traffic to be diverted to the primary interface rather than the backup interface. You want the ASA to use the routing table to find the egress interface rather than NAT in this case. More on how the ASA determines the egress interface is here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html#92034

Try adding the "route-lookup" keyword at the end of all the identity nat statements and see if it helps.

View solution in original post

Rahul Govindan · ‎01-09-2017

Do you have a specific route to the remote network or just a default route that is failing over? One possible scenario that I can think of is that the route to the public network does not failover - causing traffic to trigger tunnel on the original interface after the default routes shift over. This can happen if the track command is missing on the specific routes. Can you run a packet-tracer immediately the tunnel is established on backup interface to verify?

mvsheik123 · ‎01-09-2017

Hello,

Post sanitized configs from both ASAs .

Thx

MS

mikedeyoung · ‎01-10-2017

Thx for help. see attached.

Rahul Govindan · ‎01-10-2017

Looks like you are missing the "route-lookup" keyword in the identity NAT (NAT exempt). This might be causing the traffic to be diverted to the primary interface rather than the backup interface. You want the ASA to use the routing table to find the egress interface rather than NAT in this case. More on how the ASA determines the egress interface is here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html#92034

Try adding the "route-lookup" keyword at the end of all the identity nat statements and see if it helps.

mikedeyoung · ‎01-11-2017

Thx Rahul

-mdy

mikedeyoung · ‎01-10-2017

Thx for ideas... I have track commands on primary and high AD on backup...

route PRIMARY 0.0.0.0 0.0.0.0 x.x.x.1 1 track 1
route PRIMARY 192.168.5.0 255.255.255.0 x.x.x.1 1 track 1
route PRIMARY 172.16.61.0 255.255.255.0 x.x.x.1 1 track 1
route BACKUP 0.0.0.0 0.0.0.0 x.x.x.161 254
route BACKUP 192.168.5.0 255.255.255.0 x.x.x.161 254
route BACKUP 172.16.61.0 255.255.255.0 x.x.x.161 254