ASA 5505 8.0(3) Problem with dual ISP

Unanswered Question
Apr 17th, 2008

hi everyone,

I have a urgent problem on customer side with a asa5505 sec plus and two internet links.

I have configured following...

interface Vlan1

nameif inside

security-level 100

ip address 10.5.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 64.81.X.X 255.255.255.240

!

interface Vlan3

nameif dualisp

security-level 0

ip address 67.44.X.X 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

route outside 0.0.0.0 0.0.0.0 64.81.X.X 1 track 1

route dualisp 0.0.0.0 0.0.0.0 67.44.X.X 254

sla monitor 123

type echo protocol ipIcmpEcho 195.58.X.X interface outside

num-packets 2

frequency 5

sla monitor schedule 123 life forever start-time now

crypto ipsec transform-set DOCO esp-3des esp-md5-hmac

crypto map nfdocodmg0101-map 10 match address vpn-dmg

crypto map nfdocodmg0101-map 10 set peer 195.58.x.x

crypto map nfdocodmg0101-map 10 set transform-set DOCO

crypto map nfdocodmg0101-map interface outside

crypto map nfdocodmg0101-map-disp 10 match address vpn-dmg-dualisp

crypto map nfdocodmg0101-map-disp 10 set peer 195.58.x.x

crypto map nfdocodmg0101-map-disp 10 set transform-set DOCO

crypto map nfdocodmg0101-map-disp interface dualisp

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp enable dualisp

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

!

track 1 rtr 123 reachability

tunnel-group 195.58.x.x type ipsec-l2l

tunnel-group 195.58.x.x ipsec-attributes

pre-shared-key *

isakmp keepalive disable

If I disconnect the outside link, the backup link comes up and the vpn connection will be established. If I connect the outside link again than the switchover to the outside link doesn't work...

Any ideas why?? Some software bugs or did I have an mistake in my config?

Thanks for any help

Rene

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 04/17/2008 - 11:49

"If I connect the outside link again than the switchover to the outside link doesn't work..."

-Could you clarify? The track doesn't come back up or the vpn doesn't fail back?

acomiskey Thu, 04/17/2008 - 12:04

Is the address you are tracking also the peer address of your vpn tunnels? Have you tried tracking another ip address?

rene.schmid Thu, 04/17/2008 - 12:05

yes I have tried another ip address, same result, I have also tried different software versions :(

acomiskey Thu, 04/17/2008 - 12:13

What does "show track" say after you plug in the outside interface?

I would create a specific route to the tracked ip...4.2.2.2 for example.

route outside 4.2.2.2 255.255.255.255

Then when you plug the outside interface back in, try to ping it from an inside client on the network.

ngods Wed, 05/28/2008 - 12:08

This is a known problem with none but an ugly solution. There is no "preempt" or active peer detection for ISAKMP, even though it should prefer the first peer when both become active again. If you look at the IPSEC SAs, you'll see it thinks it is sending traffic, so Dead Peer Detection doesn't help. If you clear ISAKMP sa, it will correctly elect the outside peer crypto map.

It's not IP related -- your route is correctly returning, however IKE doesn't care, it's IP connectivity is still fine on the backup, so everything breaks.

Conditionally Null route the inside address of the ASA from the outside router if the outside serial address is reachable.

You could probably do it on the ASA itself with "route dualisp 67.44.X.Y 255.255.255.255 null0 track 1".

suschoud Wed, 05/28/2008 - 12:15

Ok,

try using the default gateway ip address of your main isp link as the monitored ip address under sla monitor--> should work.

Regards,

Sushil

Cisco TAC

Pravin Phadte Sun, 12/07/2008 - 03:18

Hi,

I agree with you on this problem.

Not sure if you did find a resulation. I had this problem and the resularuon is simple.

security-association lifetime seconds 28800

this is a default value for 8 hours.

The min is 120.

Set is ab below :

crypto map outside_map 100 set security-association lifetime seconds 120

crypto map backup_map 100 set security-association lifetime seconds 120

and check how it works :)

hope this helps,

regards,

pravin

Actions

This Discussion