ASA, Linksys RV08, & Tunnel backup

Unanswered Question
Mar 19th, 2008
User Badges:

I have a Linksys RV082 with a dual-WAN setup, connecting back to an ASA 5510 via VPN. The Linksys VPN configuration connects to the ASA on the WAN1 port primarily, and has the backup tunnel defined as connecting to the ASA via the WAN2 port. The ASA is configured to accept connections from both IP's. This all works- should the primary connection go do, the Linksys notices this fact and re-connects the tunnel on the secondary port. However, I can't figure out how to get the routing rules (IPSec Rules) on the ASA to follow suit.

I have both the Primary and Secondary ports defined in the IPSec Rule table, with the primary connection having a "lower" priority number than the secondary. However, when the primary tunnel fails and the secondary connects (which it does successfully), the ASA continues to try to send traffic destined for the remote subnet over the primary tunnel. This, of course, fails miserably, as the primary tunnel is no longer up, but the ASA never tries the secondary route. How can I configure this such that should the primary port on the linksys go down, it can not only re-connect the tunnel on the secondary port, but also have the ASA pass traffic over said tunnel? Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acheron69 Thu, 03/20/2008 - 15:57
User Badges:

Have the ASA originate-only the tunnel and the Linksys to answer-only for both WAN. On the ASA, add wan1 and wan2 in IP address of peer.

ibrewster Thu, 03/20/2008 - 16:33
User Badges:

That might work, but I am a little concerned about the Linksys not having the capability of originating the tunnel itself. Unless the ASA kept the tunnel open all the time, then wouldn't there be a problem if the remote site (Linksys) tried to contact the local site over the VPN when the tunnel wasn't up?

ibrewster Tue, 06/17/2008 - 14:02
User Badges:

Ok, I tried that, and I couldn't make it work. For starters, as far as I can determine, the linksys box doesn't have a setting for answer-only. Perhaps that is the entire problem- if, for some reason, the tunnels on the linksys are originate-only, and can't be set to answer-old or bidirectional, perhaps the ASA is unable to make a connection. this doesn't make much sense though-if that setting can't be changed on the Linksys, one would hope they set it to bidirectional.

That said, I went ahead and tried setting the ASA to originate-only in the IPSec rules section, and added both wan1 and wan2 as suggested. However, after doing this I was unable to establish a VPN tunnel at all. The ASA log just shows repeated entries of the form:

3 Jun 17 2008 13:56:22 713042 IKE Initiator unable to find policy: Intf inside, Src: x.x.x.x, Dst: x.x.x.x

Also, as far as I can tell, there is no "establish tunnel" option on the ASA, although I could easily have just missed it. What am I doing wrong here? Thanks in advance!

ibrewster Fri, 06/27/2008 - 13:31
User Badges:

How can I do this? At one location, we have just replaced the linksys with a Cisco 1811, since we were having some issues with the dual-wan on the linksys, but even with the full Cisco router, there doesn't appear to be an answer-only option. What am I missing here? How can I get this to work?


This Discussion