06-09-2014 08:57 PM
Dear Supporter,
Could you help me to provide configuration for network diagram as in attached file.
I'm appropriate with your help.
thank you
Best Regards
Solved! Go to Solution.
06-10-2014 02:20 AM
Hi Sothengse,
You can refer the below link and configure the ASA's @ Head end and Tailend accordingly to your requirement.
You need to tweak the given example configuration similar with both the ends.... dual ISP's @ both the ends in your scenario....
http://networkology.net/2013/03/08/site-to-site-vpn-with-dual-isp-for-backup-redundancy/
Hope this helps.
Regards
Karthik
06-10-2014 02:20 AM
Hi Sothengse,
You can refer the below link and configure the ASA's @ Head end and Tailend accordingly to your requirement.
You need to tweak the given example configuration similar with both the ends.... dual ISP's @ both the ends in your scenario....
http://networkology.net/2013/03/08/site-to-site-vpn-with-dual-isp-for-backup-redundancy/
Hope this helps.
Regards
Karthik
06-12-2014 01:18 AM
Dear Support,
The link that you provided me above is really really help me, now It's working. But still have a little bit issue. The issue is that when the primary link is down it takes so long time to switch to backup link maybe 30 to 35 second and have request time out 8 to 9 time on testing PC ( Ping on PC for testing ). Is it possible to force it switch faster between primary link and backup link to avoid many time out ?
very very appreciate with your help!!!
Best Regards
sotheng
06-12-2014 04:29 AM
Hi Sotheng,
You can configure with IP SLA & Track in firewall to get this minimized.
Regards
Karthik
06-12-2014 10:22 PM
06-12-2014 10:43 PM
Hi Sotheng,
What is the frequency value which you have set for SLA?
And also why you have given outside 1 in ASA1 sla configuration??? Have you made the primary route with outside1 interface and outside is a backup one or how it is?
Regards
Karthik
06-13-2014 12:04 AM
Dear nkarthikeyan,
Thank so much for your quickly respond.
Please kindly check both network diagram and config as in attached file and kindly let me know whether what is the issue?
thank you
Best Regards,
sotheng
06-13-2014 12:42 AM
Hi Sotheng,
Could you make the timeout to default and have a check.
sla monitor 1
type echo protocol ipIcmpEcho 172.16.1.241 interface outside1
default timeout
and also try to tweak the no of packets & frequency a bit to minimize the drops. say no of packets to 2 and frequency as it is.
Also try with the below mentioned debug to find the fallback logs.
debug sla monitor trace—Displays progress of the echo operation.
The tracked object (primary ISP gateway) is up, and ICMP echos succeed.
IP SLA Monitor(123) Scheduler: Starting an operation IP SLA Monitor(123) echo operation: Sending an echo operation IP SLA Monitor(123) echo operation: RTT=3 OK IP SLA Monitor(123) echo operation: RTT=3 OK IP SLA Monitor(123) echo operation: RTT=4 OK IP SLA Monitor(123) Scheduler: Updating result
The tracked object (primary ISP gateway) is down, and ICMP echos fail.
IP SLA Monitor(123) Scheduler: Starting an operation IP SLA Monitor(123) echo operation: Sending an echo operation IP SLA Monitor(123) echo operation: Timeout IP SLA Monitor(123) echo operation: Timeout IP SLA Monitor(123) echo operation: Timeout IP SLA Monitor(123) Scheduler: Updating result
debug sla monitor error—Displays errors that the SLA monitor process encounters.
The tracked object (primary ISP gateway) is up, and ICMP succeeds.
%PIX-7-609001: Built local-host NP Identity Ifc:10.200.159.2 %PIX-7-609001: Built local-host outside:10.0.0.1 %PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/52696 laddr 10.200.159.2/52696 %PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/52696 laddr 10.200.159.2/52696 %PIX-7-609002: Teardown local-host NP Identity Ifc:10.200.159.2 duration 0:00:00 %PIX-7-609002: Teardown local-host outside:10.0.0.1 duration 0:00:00 %PIX-7-609001: Built local-host NP Identity Ifc:10.200.159.2 %PIX-7-609001: Built local-host outside:10.0.0.1 %PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr 0.200.159.2/52697 laddr 10.200.159.2/52697 %PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/52697 laddr 10.200.159.2/52697 %PIX-7-609002: Teardown local-host NP Identity Ifc:10.200.159.2 duration 0:00:00 %PIX-7-609002: Teardown local-host outside:10.0.0.1 duration 0:00:00
The tracked object (primary ISP gateway) is down, and the tracked route is removed.
%PIX-7-609001: Built local-host NP Identity Ifc:10.200.159.2 %PIX-7-609001: Built local-host outside:10.0.0.1 %PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/6405 laddr 10.200.159.2/6405 %PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/6406 laddr 10.200.159.2/6406 %PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/6407 laddr 10.200.159.2/6407 %PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/6405 laddr 10.200.159.2/6405 %PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/6406 laddr 10.200.159.2/6406 %PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr 10.200.159.2/6407 laddr 10.200.159.2/6407 %PIX-7-609002: Teardown local-host NP Identity Ifc:10.200.159.2 duration 0:00:02 %PIX-7-609002: Teardown local-host outside:10.0.0.1 duration 0:00:02 %PIX-6-622001: Removing tracked route 0.0.0.0 0.0.0.0 10.200.159.1, distance 1, table Default-IP-Routing-Table, on interface outside !--- 10.0.0.1 is unreachable, so the route to the Primary ISP is removed.
Regards
Karthik
06-13-2014 02:35 AM
Dear nkarthikeyan,
I have followed your step above but It is still the same. when ISP1 down it takes 30 to 35 second to switch to ISP2. And I captured log when I shutdown interface for testing. please kindly check in attached file.
thank you!!!
Best Regards
sotheng
06-13-2014 02:46 AM
I do not see any files attached with the recent post....
Regards
Karthik
06-13-2014 02:59 AM
06-13-2014 03:21 AM
Hi Sotheng,
Everything seems to be fine. But am not sure why it is taking so much delay. Here there are two thing one is the internet link & other one is the backup tunnel formation with ISP2 which might be taking time. But let me check if anything can be done as such.
Can you get me the complete configs of both the ASA's. So that i can test and confirm on the same in my lab.
Regards
Karthik
06-13-2014 06:54 PM
Dear nkarthikeyan,
Thank you so much for your quick respond. But It's customer's configs. Do you mind if you send me your email address?
I need your email address because I will send complete configs to you by email.
thank you
Best Regards,
sotheng
06-13-2014 11:43 PM
hi sotheng,
Pls email me @ nkartheekeyan@hotmail.com
Regards
Karthik
06-15-2014 06:18 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide