Solved: Remote Access VPN - IPSec

latenaite2011 · ‎03-16-2016

Hi Support Community,

I have an ASA with dual ISP (gig0/0 and gig0/1) and gig0/1 has a default route with admin distance of 254 for backup purpose.

I just created Cisco Anyconnect on the ASA using the wizard and I can connect to both interfaces.

The IPSec tunnel configuration is also there and I tried creating an IPSec VPN entry on the with my iPhone and I can connect to gig0/0 or gig0/1 if gig0/0 is shut down. But I can't connect to gig0/1 if gig0/0 is up.

When I run "show crypto isa sa", I get the following error:

ciscoasa# show crypto isa sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: X.X.X.X
Type : user Role : responder
Rekey : no State : AM_WAIT_MSG3

So the question is , what does this mean and why does it work if I shut gig0/0 (which is the primary interface) and also why would Cisco Anyconnect works with both interfaces up and the Legacy Cisco VPN client not work?

thanks

Dinesh Moudgil · ‎03-16-2016

Hello,

This is expected due to the way the ASA's routing table is currently designed. ASA maintains not only global routing table but per-interface routing table as well.

In case of IPSec VPN , ASA Control-Path will do a route look-up for the reply packet. That look-up will return the outside/primary ISP interface as the best route but since you tried connecting on backup , ASA will drop the packet.

In case of Anyconnect VPN or SSH/Telnet, ASA creates a connection for forward flow and reverse flow for initial request and does not go through route look-up mechanism and just uses egress interface (where the request was received) to send the reply out. Anyconnect session will follow per-interface routing table.

Check this for your reference:-
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsg39338/?reffering_site=dumpcr

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

Dinesh Moudgil · ‎03-16-2016

Hello,

This is expected due to the way the ASA's routing table is currently designed. ASA maintains not only global routing table but per-interface routing table as well.

In case of IPSec VPN , ASA Control-Path will do a route look-up for the reply packet. That look-up will return the outside/primary ISP interface as the best route but since you tried connecting on backup , ASA will drop the packet.

In case of Anyconnect VPN or SSH/Telnet, ASA creates a connection for forward flow and reverse flow for initial request and does not go through route look-up mechanism and just uses egress interface (where the request was received) to send the reply out. Anyconnect session will follow per-interface routing table.

Check this for your reference:-
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsg39338/?reffering_site=dumpcr

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

latenaite2011 · ‎03-17-2016

Ok, had a question on how to get remote access vpn working with two ISPs (one on gig0/0 and gig0/1). Not sure if this will work since there can only be one default gateway.

Dinesh Moudgil · ‎03-18-2016

If you mean Anyconnect by remote access VPN, then it should ideally work as stated in the previos thread.
Just create different pool IPs for the VPN use for different ISPs so that users can send the traffic accordingly.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/