Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
180
Views
0
Helpful
2
Replies

Site to Site VPN/ Single Main ASA - Two Diff ASA in Single Branch Office

anand.network
Level 1
Level 1

‎03-02-2016 04:55 AM

Hi Team,

I have a problem.

Iam trying to establish the tunnel between my end to multiple remote end, Hence I have configured site to Site VPN between from my location ASA to remote location ASA, it is fine.

and I thought to establish the secondary VPN tunnel between the same location for redundant purpose,

My Setup:-

In one end there are two ASAs each connected to different ISPs

ASA1 - ISP1 - 1.1.1.1

ASA2 - ISP2 - 2.2.2.2

in each  ASA i hv configured the VPN tunnel to ASA3 and given the peer - 3.3.3.3

=================================================

Remote end only one ASA with one ISP

ASA3 - ISP3 - 3.3.3.3

I need to configure in the ASA3 as follows.

in the VPN peer configuration need to add both peer as below.

"crypto map MAPNAME 1 set peer 1.1.1.1 2.2.2.2

If i add like this, secondary tunnel with peer 2.2.2.2 is not come up if primary ISP1 down.

Kindly HELP ME TO SOLVE THIS.

Labels:
0 Helpful
2 Replies 2

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎03-02-2016 05:26 AM

Hi Anand,

The config on the ASA3 is fine.

So what is the status of the tunnel on the ASA3 when primary goes down.

Try to check the show cryto isakmp sa and show cry ipsec sa.

Also if possible the debugs for the phase 1.

debug crypto isakmp/ikev1 200.

Regards,

Aditya

Please rate helpful posts.

0 Helpful

David Castro F.
Spotlight
Spotlight

‎03-02-2016 09:19 PM

Hello Anand,

I would tell you to make sure the following items are followed:

  - ASA1 and ASA2 have the same configuration going towards ASA3

  - Make sure the ASA3 once ASA1 ISP has gone down the request is going to the secondary channel ASA2 basically,

  - Check if the ISAKMP SA is built to ASA2 in the ASA3, and see if the child SA is coming up (show crypto ipsec sa peer XXXXXXX --> Peer IP address)

  - If phase 1 is not coming up please run the debugs Aditya recommended (debug crypto isakmp/ikev1 200) and run a capture to see if the UDP 500 or even UDP 4500 is building the Phase 1 tunnel, for example: capture CAPNAME interface outside match ip host YYYYY host XXX

     YYYYY-> Your outside IP address

     XXXX -> Peer IP address

  - If phase 2 is not coming up please make sure (Routing is corrected, NAT exemption if needed, the interesting traffic ACL is mirrored on both sides, and the encryption algorithms of the transform set) also you can leverage the previous capture to see if IP ESP protocol is going across for phase 2, run debugs (debug crypto ipsec 200)

- If this did not work, proceed to provide the debugs, and the configuration for the 3 ASAs.

Please proceed to rate and mark as correct this port if it helped you, keep me posted!

Thanks,

David Castro,

0 Helpful
Customers Also Viewed These Support Documents