VPN - Dual ISP

MaDe · ‎02-17-2012

Hi all,

I'm struggle with my VPN configuration hope someone can me point in the right direction.

I configured my VPNs to use my WAN primary and WAN backup link this is not the problem. The problem is that I can't use RRI anymore because I get this error msg:

Crypto map associated with multiple interfaces. Cannot enable rr

So what I can do? Must I add two static routes manually with different metrics. Or is there another better solution because I have 30 vpn sites when I have to add two routes for every vpn site I have 60 route entries.

Many thanks for any hint.

Brgds Markus

my system:

ASA 5510

Version 8.4(3)

MaDe · ‎02-21-2012

Hi all,

seems I'm the only one....

I will try to explain it more detailed. We implement a second internet line (ISP2). Now it is not possible to use RRI in the VPN settings because of multiple interfaces. So I think I have to options, first one is to set a route like this

<192.168.0.0/16 gateway ISP1> and <192.168.0.0/16 gateway ISP2> and enable route tracking on the ASA to use the dual ISP scenario. Could work. Second option is to add every remote network into the static routing and enable also for each static route route tracking. Could work but it is not very comfortable. What is best practise to avoid a large static routing table?

Also my second problem is that ISP3 is running EIGRP to the ASA, works perfect. But when I use a static 192.168.0.0/16 route how I can redistribute single networks like 192.168.200.0/24 into the EIGRP process? I think that can only work if I add all remote networks into the static routing and then I can redistribute the networks into EIGRP. Is this correct? Below you will find a small network diagramm to have an overview.

Many thanks for your feedback!

Brgds Markus

David Kron · ‎02-21-2012

Whenever I've had to deal with this kind of active/passive scenario that you describe, I've simply made a duplicate of the crypto map and assigned it to the secondary interface and enabled RRI on both. Then it's just a matter of using IP SLA to track the default route for ISP1 and ISP2.

MaDe · ‎02-23-2012

Hi David,

thanks to point me in the right direction. I tested the config in our map and it is working. But when I enable RRI in both crypto maps and and have a look into the route table, I see that only the route to ISP1 is available.

192.168.2.0 255.255.255.0 [1/0] via 1.1.1.1, wan_primary

So RRI is not switching over to ISP2 if failover occurs. Any thoughts?

Many thanks!

Markus

David Kron · ‎02-23-2012

When failover occurs the routes should update dynamically. Is this not occuring? It should inject the routes as soon as the SAs come up on ISP2.

MaDe · ‎02-24-2012

David,

when failover occurs the routes update dynamiclly. But only the the default route changed not the route that was added with RRI.

Gateway of last resort is 3.3.3.1 to network 0.0.0.0

C 1.1.1.0 255.255.255.0 is directly connected, wan_primary

C 3.3.3.0 255.255.255.0 is directly connected, wan_backup

C 10.55.55.0 255.255.255.0 is directly connected, management

C 192.168.1.0 255.255.255.0 is directly connected, inside

S 192.168.2.0 255.255.255.0 [1/0] via 1.1.1.1, wan_primary -> RRI enabled

S* 0.0.0.0 0.0.0.0 [254/0] via 3.3.3.1, wan_backup

Regards Markus

David Kron · ‎02-28-2012

Hmm at that point if debug isn't showing anything helpful I'd probably just call TAC myself

inderpalsogi · ‎02-18-2016

Hi,

Please can you elaborate on this. If you have both interfaces enabled for IPSEC access, then the crypto maps that are created get automatically assigned to those interfaces so there is no need to duplicate them. If you delete one of the two identical crypto maps (separate interfaces), the ASA deletes them both for both interfaces. Hence, I am unable to RRI on the crypto maps.

Any feedback would be very much appreciated as I am having the same issue.