Re: VTI Failover Recommendation

GVI_02 · ‎07-13-2021

Hey Guys,

I have a client who wants to create two Route Based VPNs - one main and one acting as a redundancy. The topology is as follows:

Topology

There are two Tunnel interfaces on the ASA both having a the same physical interface as the tunnel source. On the router the two tunnel interfaces are on different physical interfaces but have the same tunnel destination. Both the ASA and the Router have a default route. There are two default routes on the router one with a higher AD which should be used when the primary path through the Internet goes down. Is this a viable configuration and what would be the best way to implement it ?

Rob Ingram · ‎07-13-2021

@GVI_02

You could either use IP SLA and track connectivity over the VPN or use BGP and prioritise the primary tunnel.
HTH

GVI_02 · ‎07-13-2021

Yeah that's the configuration right now. However when the primary route goes down the second tunnel doesn't go up but is stuck on the IN-NEG state. We can see the BGP route coming up but the tunnel interface remains down. So I was wondering if there maybe is some limitation in the VTI - for example 2 interfaces cant have the same destination or something along those lines.

Rob Ingram · ‎07-13-2021

On the router you've got a different source interface for the tunnel, so you should be able to establish a tunnel to the peer.

Please provide the relevant configuration of both devices.

Have you tested the tunnels come up independently? Shutdown the first tunnel and confirm the 2nd tunnel actually works.

GVI_02 · ‎07-14-2021

Here is the configuration for both sides. I made a lab and I'm trying to set it up using static paths and SLA. Both tunnels go up separately if I disable the other. The problem is that when the main is up on the router both tunnel interfaces keep flapping.

Rob Ingram · ‎07-14-2021

@GVI_02

Use different IKEv2 and ipsec profiles, you are currently sending the same local identity to the peer by sharing the profile.

The identities need to be unique.

GVI_02 · ‎07-14-2021

I can use different profiles with the same attributes right - the ciphers can be the same.

Rob Ingram · ‎07-14-2021

@GVI_02

Yes you can use the same ciphers, it's the duplicate identity that is causing the issue.

FYI, don't use 3DES, it's weak, insecure and depreciated in newer ASA/FTD/IOS code. SHA1 is ok, but SHA2 (SHA-256 etc) is more secure and rceommended.

GVI_02 · ‎07-14-2021

I made the following changes. Is this ok:

crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel

crypto ikev2 profile PROFILE
match identity remote address 10.10.10.10 255.255.255.255
identity local address 10.10.20.20
authentication local pre-share
authentication remote pre-share
keyring local KEYRING

crypto ipsec profile PROFILE
set transform-set TS
set ikev2-profile PROFILE

crypto ikev2 profile PROFILE2
match identity remote address 10.10.10.10 255.255.255.255
identity local address 10.10.40.20
authentication local pre-share
authentication remote pre-share
keyring local KEYRING

crypto ipsec profile PROFILE2
set transform-set TS
set ikev2-profile PROFILE2

Rob Ingram · ‎07-14-2021

@GVI_02 looks ok

GVI_02 · ‎07-15-2021

Now the second tunnel cannot establish. The debug shows no proposal chosen.