Solved: Re: Cisco ASA IPSEC VPN dual ISP - Page 2

gaigl · ‎03-27-2023

Hello,

Situtation:

in the HQ we've a active/standby Firepower 2120 with ASA Software

in the Branch should be a Firepower 1010 with ASA Software

the HQ is redundant, the Branch has 2 ISP's; one leased Line with fix IP, one DSL-Backup (pppoe with fixed IP)

Now I need a IPSec L2L from Branch to HQ with failover to the DSL-Backup.

I've read I could (on Branch) enter both outside-interface in the Tunnel-Group, is this correct? Only on the CLI?

But how can I configure Tunnel-Group on HQ?

Any Help is appreciated, thank you

gaigl · ‎03-30-2023

ok I tried this:

sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
timeout 2000
threshold 1
frequency 5
sla monitor schedule 1 life forever start-time now
!
track 1 rtr 1 reachability

route outside 0.0.0.0 0.0.0.0 GW-ISP2 1 track 1
route outside-2 0.0.0.0 0.0.0.0 GW-ISP1 100

but no failover:

Mar 30 2023 15:00:33: %ASA-4-752012: IKEv2 was unsuccessful at setting up a tunnel. Map Tag = outside_map1. Map Sequence Number = 1.
Mar 30 2023 15:00:33: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map1. Map Sequence Number = 1.
Mar 30 2023 15:00:33: %ASA-5-750007: Local:8.20.8.20:500 Remote:8.8.8.8:500 Username:8.8.8.8 IKEv2 SA DOWN. Reason: peer phase 2 mismatch

(replaced IP's)

gaigl · ‎03-30-2023

I think I've to try, if the Tunnel comes up with only secondary Adress.

with SLA/Tracking still:

Mar 30 2023 15:00:33: %ASA-4-752012: IKEv2 was unsuccessful at setting up a tunnel. Map Tag = outside_map1. Map Sequence Number = 1.
Mar 30 2023 15:00:33: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map1. Map Sequence Number = 1.
Mar 30 2023 15:00:33: %ASA-5-750007: Local:8.20.8.20:500 Remote:8.8.8.8:500 Username:8.8.8.8 IKEv2 SA DOWN. Reason: peer phase 2 mismatch

MHM Cisco World · ‎03-30-2023

Ohh, I am out but your issue I think is Peer-ID
if you want wait until I return or you can try by config hostname instead of IP.

Rob Ingram · ‎03-30-2023

@gaigl how are you testing? Do you actually shutdown the interface of the primary interface? Does the SLA/tracking kick in to remove the primary route and install the new backup route via the outside-2 interface?

Provide more information to help us troubleshoot - Provide the full output of the debugs, provide the output of the routing tables when it does not work etc...https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

gaigl · ‎03-30-2023

I'm out of office till Monday.

I've shut down the Switchport to the primary Interface

MHM Cisco World · ‎03-30-2023

I use IKEv1 and use IP SLA and iskamp keepalive threshold 10 in branch site
and ping success to shift when ISP1 failed in branch shit to ISP2

gaigl · ‎04-03-2023

Hello, first: thanks for your help, but Problem not yet solved:

Ive changed a little bit (from HQ to Branch now 2 Cryptomaps with different Priority:

HQ:

access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_1 object TEST-RV
access-list outside_cryptomap_100 extended permit ip object-group DM_INLINE_NETWORK_3 object TEST-RV

crypto map outside_map1 1 match address outside_cryptomap_1
crypto map outside_map1 1 set pfs
crypto map outside_map1 1 set peer $IP-of-outside
crypto map outside_map1 1 set ikev2 ipsec-proposal AES256SHA512
crypto map outside_map1 1 set ikev2 pre-shared-key *****
crypto map outside_map1 1 set nat-t-disable
crypto map outside_map1 10 match address outside_cryptomap_100
crypto map outside_map1 10 set pfs
crypto map outside_map1 10 set peer $IP-of-outside-2
crypto map outside_map1 10 set ikev2 ipsec-proposal AES256SHA512
crypto map outside_map1 10 set ikev2 pre-shared-key *****
crypto map outside_map1 10 set nat-t-disable
crypto map outside_map1 interface outside

tunnel-group $IP-of-outside type ipsec-l2l
tunnel-group $IP-of-outside general-attributes
default-group-policy GP_IKEV2
tunnel-group $IP-of-outside ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group $IP-of-outside-2 type ipsec-l2l
tunnel-group $IP-of-outside-2 general-attributes
default-group-policy GP_IKEV2
tunnel-group $IP-of-outside-2 ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

on BRANCH still this config:

access-list outside_cryptomap_1 extended permit ip object AUSSENSTELLEN_TEST_LAN object-group DM_INLINE_NETWORK_5

crypto map outside_map1 1 match address outside_cryptomap_1
crypto map outside_map1 1 set pfs
crypto map outside_map1 1 set peer $IP-of-HQ
crypto map outside_map1 1 set ikev2 ipsec-proposal AES256SHA512
crypto map outside_map1 1 set ikev2 pre-shared-key *****
crypto map outside_map1 1 set security-association lifetime seconds 3600
crypto map outside_map1 1 set nat-t-disable
crypto map outside_map1 interface outside
crypto map outside_map1 interface outside-2

tunnel-group $IP-of-HQ type ipsec-l2l
tunnel-group $IP-of-HQ general-attributes
default-group-policy GP_IPSEC_2
tunnel-group $IP-of-HQ ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

now if I cut tje primary connection, I get a new SA:

IKEv2 SAs:

Session-id:16549, Status:UP-ACTIVE, IKE count:1, CHILD count:2

Tunnel-id Local Remote Status Role
2620649689 $IP-of-outside-2/500 $IP-of-HQ/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 3600/14 sec
Child sa: local selector 172.25.0.0/0 - 172.25.255.255/65535
remote selector 192.168.15.0/0 - 192.168.15.255/65535
ESP spi in/out: 0xd4d4392e/0x36198680
Child sa: local selector 172.25.0.0/0 - 172.25.255.255/65535
remote selector 172.27.0.0/0 - 172.27.255.255/65535
ESP spi in/out: 0xaf28148c/0xe08ecb8e

but Problem:

traffic only in one Direction (on HQ: no Bytes TX, some Bytes RX) and no connection to BRANCH

Question: looks like a routing-problem?

I don't need a extra route to tunnel, right?

this should be done by the crypto-map, right?

Logs and debug on Branch and HQ are very silent...

MHM Cisco World · ‎04-03-2023

Not priority issue here the issue

Issue is we have two plane

Routing plane and ipsec plane

Routing plane issue in brach that have two ISP this must solve via ip sla to make traffic shift from primary to backup when primary failed

The ipsec plane we must use keepalive in ikev1 and dpd in ikev2 to shift vpn tunnel from one OUT inteface in branch to OUT2 (backup ISP connection)

When both done right both side know what doing when primary ISP failed in branch.

Note:-crypto map outside_map1 1 set peer $IP-of-outside <<- in HQ you must list both branch out ip

Rob Ingram · ‎04-03-2023

@gaigl so the VPN failed over to the secondary link and the IPSec SA were established correctly? If you have no encaps but some decaps that usually indicates a NAT or routing issue.

So the LAN switch routes all outbound traffic via the ASA, which then has a default route via the correct outside interface? Which should now be the secondary interface right?

Do you have a second NAT exemption rule specific to the secondary interface to ensure traffic is not unintentially translated?

Somthing like this:-

nat (inside,outside1) source static LAN LAN destination static REMOTE REMOTE
nat (inside,outside2) source static LAN LAN destination static REMOTE REMOTE

Provide the routing configuration changes you made, including the SLA/tracking.

gaigl · ‎04-03-2023

ok, now I've some debugs (when I cut the primary line), but hard for me to find the problem

sla/tracking is configured

Rob Ingram · ‎04-03-2023

@gaigl what about answering the questions? It makes it hard for anyone to assist you if you don't provide the information requested.

gaigl · ‎04-03-2023

sorry, give me a moment, I always have to edit the output because of the public IP's

one moment

MHM Cisco World · ‎04-03-2023

Please share last config for both hq and branch

Thanks

gaigl · ‎04-03-2023

Rob Ingram · ‎04-03-2023

@gaigl you don't create 2 crypto map sequence numbers on the HQ ASA for the VPN to the branch. You are also referencing a different crypto ACL on the second sequence number, why? You define a secondary peer under the same sequence number, this then uses the same crypto ACL - therefore the same traffic is permitted over the VPN.

crypto map outside_map1 1 set peer $IP-of-outside $IP-of-outside-2

Provide the output of "show crypto ipsec sa" and "show route" from both ASA when you failover to the secondary link.

After you failover to the secondary link, run packet-tracer from both ASA to simulate traffic over the VPN. Provide the output for review.