ASA 8.0.4-32 Redundant L2L VPNs

Answered Question
Dec 14th, 2009

Scenario:

Central Office

2 ASA 5510 Firewalls configured in Active/Standby

Crypto map applied to outside interface

Crypto map contains an entry for each remote office

Each entry has two peers set

10 remote offices

Cisco 1841 router

T1 connection

Cable connection via FastEthernet port (backup internet connection)

Same crypto map applied to both WAN interfaces for redundancy

Intended outcome:

VPN tunnels should be established between the ASA and each of the 10 1841s over their connected T1s.

If the T1 drops for a remote office, the traffic that was previously being sent over the VPN to the T1 peer address should now be sent over a tunnel established between the same interface on the CO router and the Cable peer address on the remote router.

Problem:

This was working before we migrated from a pair of Pix 515e firewalls to a pair of ASA 5510 firewalls.  I suspect that the ASA 5510 does not like having two peers set with one "crypto map mymap 15 set peer" statement as I have below.  The reason I suspect this is because when I view the connection profiles using the ASDM, the profiles for the secondary peers (or those with Cable IPs) show the IP address for the primary peer (or those with T1 IPs).  Currently the tunnels work fine over the T1 connections to the remote routers, but none of the tunnels establish over the cable connections (even if the T1 is disconnected from the remote router) and traffic is sent from the internal network that matches the crytpo map.  Each of the remote 1841s has a default route set for both WAN connections, with the T1 connection having a higher preference.

So, what I need to know is what would be the best way to have redundant VPN tunnels to each of the remote sites using the aforementioned hardware so that it works as flawlessly as possible.

The following is some of the applicable configuration from the ASA at the central office.

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto map mymap 15 match address greenwood
crypto map mymap 15 set peer x.x.x.x y.y.y.y     (where x.x.x.x is the T1 IP and y.y.y.y is the Cable IP of the remote router)
crypto map mymap 15 set transform-set myset

crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside

crypto isakmp policy 25
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
pre-shared-key *

I have this problem too.
0 votes
Correct Answer by Yudong Wu about 6 years 12 months ago

Copied from the command reference:

crypto map set peer

You can set up multiple peers only when using the backup LAN-to-LAN feature (that is, when the crypto map connection type is originate-only). For more information, see the crypto map set connection-type command.

crypto map set connection-type

The crypto map set connection-type command specifies the connection types for the Backup Lan-to-Lan feature. It allows multiple backup peers to be specified at one end of the connection.

This feature works only between the following platforms:

Two Cisco ASA 5500 series security appliances

A Cisco ASA 5500 series security appliance and a Cisco VPN 3000 concentrator

A Cisco ASA 5500 series security appliance and a security appliance running Cisco PIX security appliance software v7.0, or higher

It looks like it does not support ASA - IOS router any more. but you can add "crypto map set connection-type originate-only" to give it a try.

The other way is to configure a dynamic crypto map on headend ASA as the example in the link below.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00805733df.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Yudong Wu Mon, 12/14/2009 - 15:22

Copied from the command reference:

crypto map set peer

You can set up multiple peers only when using the backup LAN-to-LAN feature (that is, when the crypto map connection type is originate-only). For more information, see the crypto map set connection-type command.

crypto map set connection-type

The crypto map set connection-type command specifies the connection types for the Backup Lan-to-Lan feature. It allows multiple backup peers to be specified at one end of the connection.

This feature works only between the following platforms:

Two Cisco ASA 5500 series security appliances

A Cisco ASA 5500 series security appliance and a Cisco VPN 3000 concentrator

A Cisco ASA 5500 series security appliance and a security appliance running Cisco PIX security appliance software v7.0, or higher

It looks like it does not support ASA - IOS router any more. but you can add "crypto map set connection-type originate-only" to give it a try.

The other way is to configure a dynamic crypto map on headend ASA as the example in the link below.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00805733df.shtml

r.d.schnitzer Wed, 12/23/2009 - 06:42

Thank you for your response Kevin.  I tried setting the connection-type to originate-only, but unfortunately that didn't help.  Configuring the VPNs to be dynamic on the headend ASA allowed everything to work as desired.

dknoezinger Fri, 01/15/2010 - 02:29

Hi,

I am facing the same problem as you.

One thing that I am interested in: you are saying that using dynamic crypto-maps on the headend solved the problem.

When I understand this correctly, then then the 2 redundant remote-routers at each site initiate the tunnel to the ASA bundle (ASA does not know the peer addresses) - correct?

How does the redundancy at the remote-site work then? I assume both routers have different WAN IP's and speak HSRP/VRRP on the LAN side.

How did you manage that only one of the routers (maybe the active HSRP router) initiates the tunnel at a time? Or do both of them initiate an own tunnel and you work with RRI at the remote site? I have a situation with a Firewall behind the two remote-routers that does not support dynamic routing...

I appreciate your help!

Thanks,

Daniel

Yudong Wu Fri, 01/15/2010 - 09:10

Yes, at the remote site, if you have two routers and one for each wan connection, you can use HSRP on their LAN interface which facing to your firewall. On firewall, you need configure a default router to point to the HSRP IP address so that all traffic will be sent to active HSRP router only. When configuring your HSRP, you can track the WAN interface or use object track

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/fthsrptk.html#wp1146585

When wan interface on active HSRP router is down, the other router will become HSRP active and firewall will send the traffic to it, and new IPSec tunnel will be established accordingly.

dknoezinger Mon, 01/18/2010 - 06:03

Thanks Kevin!

That is clear so far.

The only downside I see is that in this situation only the remote side can trigger the tunnel-setup.

What if the headend needs to send the first packet?

That does not seem to be a perfect workaround for the redundant L2L tunnel setup - right?

Thanks and best regards,

Daniel

Yudong Wu Tue, 01/19/2010 - 21:09

It's not something impossible, it depends on how you would like to do it and how much money you would like to spend.

If the remote end is IOS router, you can use two ASA interfaces to realize lan-2-lan redundancy from ASA side as well.

For example,

1. configuring SLA on ASA to monitor the reachability to the remote end's primary interface.

2. when remote end primary link is down, ASA will use the backup route to send the traffic to its secondary interface which has crypto map to peer with the remote end's secondary interface.

I did not test this but I think it should work.

HTH.

Actions

This Discussion

Related Content