ASA 5505 + Security Plus License & backup ISP config

Unanswered Question
Apr 6th, 2009
User Badges:


Looking for some help with backup ISP configuration on ASA 5505.

I have attached my configs as site-a and site-b.

I have a simulated internet using a router as a frame relay switch and 4 hub/spoke routers that can all ping each other. That part of the config is fine and works a treat. I then have 2 ASA 5505 firewalls attached to the routers such that I have site-a with outside and backup interfaces and site-b with outside and backup interfaces. each side can ping the external routers as normal and I have created a site to site VPN between the networks, this works as expected. My problem starts when I disconnect either outside interface to simulate an outage of the primary ISP route, the tracking part works fine and the backup default route is installed in the routing table, however I cannot ping across the router to any external router whilst the backup route is installed. When I reinstate the primary route, it is then put back into the routing table and the connections start to work.

Not sure what I am missing, but I think it could be security policy related.

Thanks in advance for any help provided.

John Verdon.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
johnverdon Tue, 04/07/2009 - 02:18
User Badges:

I found part of the answer to my problem, I was missing the following command in the config of both sites.

global (backup) 1 interface

so now the backup route is installed into the routing table and the traffic can flow as expected.

My problem now seems to be that whilst the link drops, then the site to site vpn drops during the failover period, the vpn link fails to reconnect.

The VPN appears to be created and the VPN lights on the front of the ASA boxes is on, but no traffic flows across the VPN tunnel.

I Think this is a security policy configuration issue but not sure what is required.



johnverdon Wed, 04/08/2009 - 07:12
User Badges:

For anybody that's interested, I managed to get this working so that the VPN tunnel is recreated if either primary ISP connection fails and if Both primary ISP connections fail at the same time. Below is the relevant section that needs to be changed, config is for Site A.

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto map backup_map 1 match address backup_1_cryptomap

crypto map backup_map 1 set pfs

crypto map backup_map 1 set peer

crypto map backup_map 1 set transform-set ESP-3DES-SHA

crypto map backup_map 1 set security-association lifetime seconds 120

crypto isakmp enable outside

crypto isakmp enable backup

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

I have set the SA life to 2 mins on the backup interfaces because when the primary interface is returned to normal, the VPN failed recover in a reasonable time.

Other than that along with the extra line as previous,

global (backup) 1 interface

the configs are as posted.

Hope that helps any one with a similar problem.


acomiskey Wed, 04/08/2009 - 07:23
User Badges:
  • Green, 3000 points or more

Thanks for sharing! 5 points for you!

veljko.tasic Mon, 04/13/2009 - 07:06
User Badges:


Thanks for info.

Can you also post details how you configured tunnel-groups?

Is it necessary to add additional tunnel group for second peer?

johnverdon Wed, 04/15/2009 - 11:13
User Badges:


It is necessary to add the second tunnel groups for the backup interface. When I configured the site to site tunnels I used the VPN wizard to create the correct configuration, running it twice at each end point. It's important to note that you need to select the backup interface when creating the second tunnel group, use the same information as the primary tunnel setup.

Once you have created 2 instances (1st for primary ISP and 2nd for Backup ISP) of tunnel groups at both ends you need to edit them so that you add the remote endpoint backup interface, when you use the GUI you get an error about only being able to add the backup interface when set to 'originate-only' I set it this way and saved the config, then returned and changed it back to Bi-directional and re saved the config, this allows you to fail over to the remote backup ISP connection should it's primary fail.

The final change that needs to be made is to set the SA life to 120 seconds on the backup connections, this helps the VPN tunnels to return to the primary interfaces when they return.

Hope that helps.



This Discussion