09-17-2020 11:20 AM
Hello All,
We have three Cisco 5545 ASA firewall configure for SSL VPN & this three firewall are in VPN load balancer. for inside & Outside we have separate switch . also we have one vrf interconnect to VPN firewall(different switch for vrf).
recently we faced issue inside/customer vrf switch was down but same time outside UP & internet was reachable from firewall & due to that users where able to connect vpn but nothing was accessible from them.
is there any way to have configuration if firewall inside/vrf interface/switch goes down than this firewall should not take any vpn load/new session. or any other possibility.
looking forward for support.
09-17-2020 11:24 AM
Hi @Nitin S
Run an EEM script in conjunction with IP SLA on each ASA to determine whether the next hop/interface is down, in the event of failure disable crypto on the outside interface.
HTH
09-17-2020 11:29 AM
Hi Rob
Thanks for reply. can you please help with some sample config.
09-17-2020 11:37 AM
I don't have access to my lab for a few days, but refer to this link
...have a look at the VPN preempt example, use that as an example, change the eem action to disable webvpn as below:-
webvpn
no enable OUTSIDE
You will need to test in a lab to tweak as appropriate.
HTH
09-17-2020 12:48 PM
i try in LAB but i can't call track on interface
09-17-2020 12:53 PM
Use ICMP track for the IP address of the next hop device that is connected to that interface.
09-17-2020 01:01 PM
sla monitor 100
type echo protocol ipIcmpEcho 10.2.2.1 interface lan
num-packets 3
frequency 10
sla monitor schedule 100 life forever start-time now
track 1 rtr 100 reachability
event manager applet PREEMPT
event syslog id 622001 occurs 2
action 1 cli command "wevpn"
action 2 cli command "no enable wan"
output none
interface gig0/1
nameif lan
security-level 0
ip address 10.2.2.2 255.255.252
next hop 10.2.2.1
09-17-2020 01:19 PM
You'll need another EEM script to re-enable when the IP SLA is active again.
09-17-2020 01:27 PM
when i shutdown port LAN event is not trigger what will process to trigger event.
09-17-2020 01:35 PM
You need to determine what syslog message is logged and amend your applet accordingly
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: