Solved: VPN on Cisco ASA

jebanks · ‎02-09-2023

Hi Team:

Quick question. I have a single ASA with dual links. Each link to an ISP. Currently I have IP SLA configure to failover to the other provider if the main provider path is down. I have a branch connected to that single ASA via a site to site vpn via the primary provider. Now what i would like to do is create another VPN from the branch office to the main but using the secondary path. So if the main provider fails and the vpn goes down the branch can reach it via the secondary ISP link.

Should i create the backup vpn path just like i did on the first one and then use the same tracker to track the vpn status so that its aware when to failover? how can i get this done?

Rob Ingram · ‎02-09-2023

@jebanks on the HQ side you would need to enable the crypto map and ikev2/ikev1 on the second interface. And obviously ensure the IP SLA and tracking is working correctly for the failover.

On the branch you'd need to define a tunnel group for the second ISP and specify the authentication PSK/cert etc.

View solution in original post

MHM Cisco World · ‎02-10-2023

http://networkerslog.blogspot.com/2011/04/reverse-route-injection-for-remote.html

Chech this link you must disable RRI first

Update us if it not working

View solution in original post

Rob Ingram · ‎02-09-2023

@jebanks on the branch configure a backup peer in the crypto map (I assume you are using a policy based VPN). Ensure you have DPD keepalives enabled to ensure the stale IPSec SA are cleared in th event of failure of the primary link.

Example:

crypto map CMAP 1 set peer 1.1.1.1 2.2.2.1

In this example a tunnel will be established to 1.1.1.1, if that fails the ASA will attempt to connect to 2.2.2.1.

This example shows you the branch side cfg. https://integratingit.wordpress.com/2020/05/21/asa-multi-peer-vpn/

jebanks · ‎02-09-2023

But this example code that you gave me would be on the branch side right? I have attached a little drawing of what am talking about. Thanks.

Rob Ingram · ‎02-09-2023

@jebanks yes, that example I provided would be defined on the branch side.

jebanks · ‎02-09-2023

and at the HQ side would be another vpn configuration like i did for the first one right?

Rob Ingram · ‎02-09-2023

@jebanks on the HQ side you would need to enable the crypto map and ikev2/ikev1 on the second interface. And obviously ensure the IP SLA and tracking is working correctly for the failover.

On the branch you'd need to define a tunnel group for the second ISP and specify the authentication PSK/cert etc.

jebanks · ‎02-10-2023

hi Rob:

Thanks for the help so far. I believe the advice you are giving me is like this article i found (https://www.petenetlive.com/KB/Article/0000544) which is exactly what i want to do but when i follow it and the end it says that on the HQ side i need to enable the crypto map on the backup interface like you rightfully mention but when i do so i get the below when i cry to apply my existing crypto map on the secondary link:

ERROR: crypto map has entries with reverse-route injection enabled
Cannot attach to multiple interfaces

would this be due to the fact the firewall i have does not have security plus license?

Rob Ingram · ‎02-10-2023

@jebanks are you using RRI? If you are, perhaps try and use dynamic (append dynamic keyword to the configuration), however you need to use IKEV2 to use dynamic.

If that doesn't work use a route based VPN with2 VTIs.

jebanks · ‎02-10-2023

Sorry for my lack of knowledge what you mean by RRI? and how would a dynamic be? Currently its ikev1. Also, not sure what is VTIs but will check it out.

Rob Ingram · ‎02-10-2023

RRI = reverse route injection.

If you aren't using it then perhaps remove it, then you can enable crypto on the second interface.

jebanks · ‎02-10-2023

When i google what is RRI- From the definition of Reverse Route Injection, I have understood that it creates static route entries for remote vpn destinations in VPN gateway, so that it can redistribute the routes into into it's local network. would this be cause of the remote vpn that exist on the ASA? is there a command to validate that?

Rob Ingram · ‎02-10-2023

@jebanks RRI will create static routes on the ASA, which could be redistributed using a routing protocol. Are you redistributing these routes? Do you need to?

https://integratingit.wordpress.com/2022/01/01/asa-reverse-route-injection-rri/

MHM Cisco World · ‎02-10-2023

http://networkerslog.blogspot.com/2011/04/reverse-route-injection-for-remote.html

Chech this link you must disable RRI first

Update us if it not working

jebanks · ‎02-11-2023

@Rob and @MHM Cisco World it works when i disable to RRI but now when the main link is back up I notice i have to bounce the VPN connection so that it can fail over back. Where in the vpn i would call the SLA?

Rob Ingram · ‎02-11-2023

@jebanks once the primary interface is up, the ASA Firewall should automatically terminate the connection on the backup interface, the VPN should subsequently be cleared from both ASAs and the VPN should be re-established to the primary peer.

The SLA and track needs to be configured on the HQ Firewall.

What have you configured and on what device?

Provide your configuration.