Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
856
Views
10
Helpful
5
Replies

ASA 5505 + Security Plus License & backup ISP config

johnverdon
Level 1
Level 1

‎04-06-2009 10:47 AM - edited ‎03-11-2019 08:15 AM

Hi,

Looking for some help with backup ISP configuration on ASA 5505.

I have attached my configs as site-a and site-b.

I have a simulated internet using a router as a frame relay switch and 4 hub/spoke routers that can all ping each other. That part of the config is fine and works a treat. I then have 2 ASA 5505 firewalls attached to the routers such that I have site-a with outside and backup interfaces and site-b with outside and backup interfaces. each side can ping the external routers as normal and I have created a site to site VPN between the networks, this works as expected. My problem starts when I disconnect either outside interface to simulate an outage of the primary ISP route, the tracking part works fine and the backup default route is installed in the routing table, however I cannot ping across the router to any external router whilst the backup route is installed. When I reinstate the primary route, it is then put back into the routing table and the connections start to work.

Not sure what I am missing, but I think it could be security policy related.

Thanks in advance for any help provided.

John Verdon.

Labels:
Preview file
6 KB
Preview file
6 KB
0 Helpful
5 Replies 5

johnverdon
Level 1
Level 1

‎04-07-2009 02:18 AM

I found part of the answer to my problem, I was missing the following command in the config of both sites.

global (backup) 1 interface

so now the backup route is installed into the routing table and the traffic can flow as expected.

My problem now seems to be that whilst the link drops, then the site to site vpn drops during the failover period, the vpn link fails to reconnect.

The VPN appears to be created and the VPN lights on the front of the ASA boxes is on, but no traffic flows across the VPN tunnel.

I Think this is a security policy configuration issue but not sure what is required.

Regards,

John.

0 Helpful

johnverdon
Level 1
Level 1
In response to johnverdon

‎04-08-2009 07:12 AM

For anybody that's interested, I managed to get this working so that the VPN tunnel is recreated if either primary ISP connection fails and if Both primary ISP connections fail at the same time. Below is the relevant section that needs to be changed, config is for Site A.

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 44.44.44.45 55.55.55.56

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto map backup_map 1 match address backup_1_cryptomap

crypto map backup_map 1 set pfs

crypto map backup_map 1 set peer 44.44.44.45 55.55.55.56

crypto map backup_map 1 set transform-set ESP-3DES-SHA

crypto map backup_map 1 set security-association lifetime seconds 120

crypto isakmp enable outside

crypto isakmp enable backup

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

I have set the SA life to 2 mins on the backup interfaces because when the primary interface is returned to normal, the VPN failed recover in a reasonable time.

Other than that along with the extra line as previous,

global (backup) 1 interface

the configs are as posted.

Hope that helps any one with a similar problem.

John.

acomiskey
Level 10
Level 10
In response to johnverdon

‎04-08-2009 07:23 AM

Thanks for sharing! 5 points for you!

0 Helpful

veljko.tasic
Level 1
Level 1
In response to johnverdon

‎04-13-2009 07:06 AM

Hi,

Thanks for info.

Can you also post details how you configured tunnel-groups?

Is it necessary to add additional tunnel group for second peer?

0 Helpful

johnverdon
Level 1
Level 1
In response to veljko.tasic

‎04-15-2009 11:13 AM

Hi,

It is necessary to add the second tunnel groups for the backup interface. When I configured the site to site tunnels I used the VPN wizard to create the correct configuration, running it twice at each end point. It's important to note that you need to select the backup interface when creating the second tunnel group, use the same information as the primary tunnel setup.

Once you have created 2 instances (1st for primary ISP and 2nd for Backup ISP) of tunnel groups at both ends you need to edit them so that you add the remote endpoint backup interface, when you use the GUI you get an error about only being able to add the backup interface when set to 'originate-only' I set it this way and saved the config, then returned and changed it back to Bi-directional and re saved the config, this allows you to fail over to the remote backup ISP connection should it's primary fail.

The final change that needs to be made is to set the SA life to 120 seconds on the backup connections, this helps the VPN tunnels to return to the primary interfaces when they return.

Hope that helps.

John.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card