ASA - IPSEC and OSPF issue

Unanswered Question
Apr 24th, 2007

Hello!

We are using Cisco871 at branches and ASA5520 in router mode at central office. VPN3000 used to terminate IPSEC connections. I trying to implement backup links with OSPF and 'crypto map local-address' feature. Config at Cisco 871 looks like this:

--------

interface Loopback1

ip address 172.16.255.10 255.255.255.255

crypto map VPN local-address Loopback1

crypto map VPN 10 ipsec-isakmp

set peer 10.1.5.1

set transform-set TRANSFORM_SET

match address VPN_TRIGGER

interface FastEthernet1

description MAIN LINK

ip address 172.16.1.10 255.255.255.0

crypto map VPN

interface FastEthernet2

description BACKUP LINK

ip address 172.16.2.10 255.255.255.0

crypto map VPN

router ospf 1

log-adjacency-changes

redistribute connected subnets

network 172.16.1.0 0.0.0.255 area 1.1.1.1

network 172.16.2.0 0.0.0.255 area 2.2.2.2

--------

172.16.255.10 configured as peer adress for tunnel on VPN3000.

IPSEC tunnel works fine; 172.16.255.10 is accessible.

ciscoasa# sh route | b 172.16.255

O E2 172.16.255.10 255.255.255.255

[110/20] via 172.16.160.10, 0:04:26, link1

ciscoasa# sh conn detail | i 172.16.255.10

ESP dmz:10.1.5.1/41767 link1:172.16.255.10/56656

ESP dmz:10.1.5.1/4405 link1:172.16.255.10/38401

UDP dmz:10.1.5.1/500 link1:172.16.255.10/500 flags -

Lets shutdown one active link:

ciscoasa# sh route | b 172.16.255

O E2 172.16.255.10 255.255.255.255

[110/20] via 172.16.0.27, 0:00:15, link2

ciscoasa# sh conn detail | i 172.16.255.10

UDP dmz:10.1.5.1/500 link1:172.16.255.10/500 flags -

172.16.255.10 now accessible via 'link2' interface, but UPD/500 connections is still bound to 'link1' interface..

Is it bug or feature? I suppose its feature. Is it possible to turn off that 'bind connection to interface' feature?

Maybe there are better solutions about backup links? For example, should I use some ISR to terminate OSPF on it (then 172.16.255.10 won't jump from one interface to another). Or, maybe, I should use two different IPSEC tunnels and run routing protocol inside them?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mchin345 Mon, 04/30/2007 - 11:28

Check the ASA configuration especially VPN related config.

krasinform Tue, 05/01/2007 - 20:30

ASA isn't involved directly into VPN, its used as router and (statefull) firewall here. Problem is in the firewall states and dynamic routing.

Actions

This Discussion