RA VPN backup

Unanswered Question
Dec 15th, 2008
User Badges:
  • Bronze, 100 points or more

Hi,


I have a router with two Internet connections, which is then connected to a PIX behind it. All vpn inbound connections are sent (by using static translations) to the PIX using Internet link 1 and it works fine. I then made another connection between the router and PIX and sent vpn traffic to it using Internet link 2.


The problem is whenever I try to VPN using the Internet link 2 interface the connection will not establish and the show crypto isakmp sa gives me the output AG_INIT_EXCH.


Any ideas???

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kwillacey Mon, 12/15/2008 - 13:24
User Badges:
  • Bronze, 100 points or more

Is what I'm trying to accomplish really that difficult?

Richard Burts Mon, 12/15/2008 - 14:37
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Kelvin


I am not sure that there is enough information provided for us to really understand the issue or to give you possible solutions. Your description talks about the router with 2 Internet connections, where VPN traffic comes over one connection and is sent to the PIX using some translation mechanism. They you describe creating another connection from the router to the PIX (at least I think that is what you are describing) and trying to send traffic over the second connection.


From that description my first guess is that there is something in the translation mechanism that is the issue. Is it possible that the traffic arrives over the second connection but the response goes back on the first connection (as normal traffic would do)? It may be that the assymetric path there is the problem.


If you provide a bit more detail about the environment and perhaps relevant parts of the config then perhaps we could give you better answers.


HTH


Rick

ajagadee Mon, 12/15/2008 - 19:32
User Badges:
  • Cisco Employee,

Hi,


So, the VPN Tunnel that you are talking about, is this Remote Access or L2L. Based upon the debug message "AG_INIT_EXCH", I am going to assume that this is Remote Access users and explain below why this was not working. If this is a L2L Tunnel, please provide some additional details.


The second connection between the Pix and Router, is this like a DMZ link or are you doing VLAN Sub Interfaces to the router. Also, Where is the default gateway on the pix pointing to. If remote users are connecting to the pix, then the return traffic is going to follow the default gateway and take Internet Link 1 instead of Link 2. And this is probably why your tunnel is getting stuck at AG_INIT_EXCH.


Regards,

Arul


*Pls rate if it helps*

kwillacey Mon, 12/15/2008 - 20:20
User Badges:
  • Bronze, 100 points or more

I guess you are both correct it could be a routing issue and yes it is remote access vpn but let me clarify. The PIX has two links to the router, both interfaces are configured as outside interfaces on the PIX, outside and outside2, the default route uses the outside interface. The router has static translations for vpn traffic and sends it to the outside and outside2 interface.


What i want is if internet link 1 goes down then vpn traffic can come in on internet link 2. The router is setup such that if internet link 1 goes down then vpn traffic coming from the PIX well be sent over internet link 2. Could it be that I need to change the default route on the PIX to use outside2 to get it to work when a failure occurs.

ajagadee Mon, 12/15/2008 - 20:37
User Badges:
  • Cisco Employee,

Yes, one option is to change the default route to point to the second ISP. But, this is going to be a manual failover.


The other option is to use the Redundant or Backup ISP Link. More information in the below URL:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml


Regards,

Arul


*Pls rate if it helps*

kwillacey Tue, 12/16/2008 - 05:38
User Badges:
  • Bronze, 100 points or more

That would work if it were only the PIX but there is a router in front of it.

Actions

This Discussion