Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1031
Views
0
Helpful
9
Replies

SSL VPN issue on cisco firewall

Nitin S
Level 5
Level 5

‎09-17-2020 11:20 AM

Hello All,

 

We have three Cisco 5545 ASA firewall configure for SSL VPN & this three firewall are in VPN load balancer. for inside & Outside we have separate switch . also we have one vrf interconnect to VPN firewall(different switch for vrf).

recently we faced issue inside/customer vrf switch was down but  same time outside UP & internet was reachable from firewall & due to that users where able to connect vpn but nothing was accessible from them.


is there any way to have configuration  if firewall inside/vrf interface/switch goes down than this firewall should not take any vpn load/new session. or any other possibility. 

looking forward for support.

Labels:
0 Helpful
9 Replies 9

Rob Ingram
VIP
VIP

‎09-17-2020 11:24 AM

Hi @Nitin S 

Run an EEM script in conjunction with IP SLA on each ASA to determine whether the next hop/interface is down, in the event of failure disable crypto on the outside interface.

 

HTH

0 Helpful

Nitin S
Level 5
Level 5

‎09-17-2020 11:29 AM

Hi Rob

Thanks for reply. can you please help with some sample config.

0 Helpful

Rob Ingram
VIP
VIP

‎09-17-2020 11:37 AM

I don't have access to my lab for a few days, but refer to this link

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html

 

...have a look at the VPN preempt example, use that as an example, change the eem action to disable webvpn as below:-

 

webvpn
no enable OUTSIDE

You will need to test in a lab to tweak as appropriate.

 

HTH

0 Helpful

Nitin S
Level 5
Level 5

‎09-17-2020 12:48 PM

i try in LAB but i can't call track on interface 

0 Helpful

Rob Ingram
VIP
VIP

‎09-17-2020 12:53 PM

Use ICMP track for the IP address of the next hop device that is connected to that interface.

0 Helpful

Nitin S
Level 5
Level 5

‎09-17-2020 01:01 PM

sla monitor 100
type echo protocol ipIcmpEcho 10.2.2.1 interface lan
num-packets 3
frequency 10

sla monitor schedule 100 life forever start-time now

track 1 rtr 100 reachability


event manager applet PREEMPT
event syslog id 622001 occurs 2
action 1 cli command "wevpn"
action 2 cli command "no enable wan"
output none

interface gig0/1
nameif lan
security-level 0
ip address 10.2.2.2 255.255.252

next hop 10.2.2.1

0 Helpful

Rob Ingram
VIP
VIP

‎09-17-2020 01:19 PM

You'll need another EEM script to re-enable when the IP SLA is active again.

0 Helpful

Nitin S
Level 5
Level 5
In response to Rob Ingram

‎09-17-2020 01:27 PM

when i shutdown port LAN event is not trigger what will process to trigger event. 

 

ASAipsla3.PNG

0 Helpful

Rob Ingram
VIP
VIP

‎09-17-2020 01:35 PM

You need to determine what syslog message is logged and amend your applet accordingly

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents