Cisco ASA 5510 - VPN tunnels failvoer

Unanswered Question
Feb 27th, 2010

I will try to summarise my setup.

Site A  Remote Office
- LAN 192.88.0.0. /24,
- Interface connected to ISP connection 1 (main)  - 81.1.2.30
- Interface connectd to ISP connect 2 (backup) - 81.3.3.40

Site B Main Office
- LAN 192.28.0.0 /24
- Interface connected to ISP connection 1 (main) - 80.3.4.40
- Interface connected to ISP connection 2(backup)  - 80.4.5.50

What I want to have happen is that there are 2 VPN tunnels.
Between Remote and Main Office- Tunnel 1 81.1.2.30 to 80.3.4.40
and Tunnel 2 81.3.3.40 to 80.4.5.50

I have set up the tunnels and can get the first tunnel up each time. Traffic flows freely each time to and from sites with no issue.

If I disconnect the main connection to the ISP at Remote office , so the ASA diverts all outgoing traffic from the main connection to the backup connection then it brings up the 2nd tunnel

But...

People at the remote site can VPN into the main site with no issue at all. The ASA there knows that all traffic for the main office will go through the backup interface as the main interface is down.

But....

If people at the main office try to access the remote office then they do not have any success! This is beacuse the ASA at the main office still trys to route out via its usual (main) ISP connection, and fails!

How can I get this so there is two way traffic!

Setting the tunnels at one site to answer only does not seem to solve the problem, as it then still expects to establish the tunnel from the outside!

Summary of config:-

Extract from main office

access-list outside_60_cryptomap extended permit ip Main_Office 255.255.255.0 Remote_LAN 255.255.255.0
access-list backup_40_cryptomap extended permit ip Main_Office 255.255.255.0 Remote_LAN 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map backup_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 60 match address outside_60_cryptomap
crypto map outside_map 60 set peer 216.36.175.6
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 60 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

crypto map backup_map 40 match address backup_40_cryptomap
crypto map backup_map 40 set peer 87.95.81.102
crypto map backup_map 40 set transform-set ESP-3DES-MD5
crypto map backup_map 40 set reverse-route
crypto map backup_map 65535 ipsec-isakmp dynamic backup_dyn_map
crypto map backup_map interface backup
crypto isakmp enable outside
crypto isakmp enable backup
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  20

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mopaul Sun, 02/28/2010 - 21:27

Hi ,


In the summary, you have mentioned the public IP addresses on main and back up interfaces are 81.1.2.30 and  81.3.3.40 ; 80.3.4.40 and 80.4.5.50 for ASAs on site 1 and Site 2 resp. But in the confgiuration i see none of the ip address as the remote peer. Can you please zip the complete running configuration from both the ASAs and post it here for review?


The VPN failover configuration :-


On Remote Site ASA

-------------------------------


crypto isakmp enable outside
crypto isakmp enable backup


crypto map outside_map 1 set peer  80.3.4.40 80.4.5.50

crypto map outside_map interface outside

crypto map outside_map interface backup


On Main Site ASA
---------------------------


crypto isakmp enable outside
crypto isakmp enable backup


crypto map outside_map 1 set peer  81.1.2.30 81.3.3.40

crypto map outside_map interface outside

crypto map outside_map interface backup



Note: Do this configuration via CLI.


Also. You can refer the link below but don't be confused by looking at the configuration. Just go by the Back up Site to Site VPN paragraph


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml

Try this and let me know how it goes.



Regards

M

mawallace Mon, 03/01/2010 - 03:12

A couple of questions I have looking at your post:-

i. Do I need to delete the exising details re peers via CLI first or by entering the command crypto map outside_map 1 set  peer  81.1.2.30  81.3.3.40 will this overwrite the existing details. Or do I need to delte them in the CLI first and then reenter them

ii. Can I have more than two maps on the same interface - or should I add the details to the maps already defined.

iii. I thought that you had define direction when setting peers under ASA 5510? As in the exmaple:-

crypto map map-name seq-num set connection-type {answer-only | originate-only | bidirectional} 


iv. Is there any way you can set an ASA to ping the VPN tunnel or host on the other site to keep a VPN tunnel up all the time?

mawallace Mon, 03/01/2010 - 08:03

Ok - did not work. But I have an issue with my config that I need to get looked at first!

The issue is this

On the backup interface

Remote office - If I set up tunnel to origniate and Main) office to recieve then tunnel comes up - traffic passes from Remote to Main via it fine but not other way ?!

If I reverse so at Main office change to orignate and Remote office to recive then the tunnel does not come up and traffice will not go the pass. Looking at the Remote log it has "no matching crytpo map entry".

Group = 68.96.85.174, IP = 68.96.85.174, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.28.2/255.255.255.255/0/0 local proxy 68.96.81.102/255.255.255.255/0/0 on interface backup

Other problems

I tried to put the redundant peers into the config as suggested. It tries the primary tunnel as suggested.

however, if the primary link goes down, it does not try the next one on the list! It is as if it is not aware that the VPN has gone down! YOu can see it in diag's trying to reconnect on the primary VPN.

What I want is if the main connection disconnects it tries the next one on the list - but routes the VPN out via the backup interface.

Configs as requested. I changed ip addresses in example above to ensure that I did not relase full details of my config on the web.

Please note that I have therefore used different ip addreses this time!

Main office ip internet addresses 117.37.180.46 & 68.96.85.174 - (backup goes via another router 192.168.30.1 - see static routing)

Remote office ip unternet addresses 117.37.175.175.6 & 68.96.81.102 (backup goes via another router 192.168.88.1 - see static routing)

shincanada Mon, 03/15/2010 - 11:02

I think the problem is with your route tracking setup.  From the remote track the outside IP of the main.  From the main track the outside IP of the remote.  If the path fails install routes between sites via the backup interface.

My crypto config is basically the same.  This is my sla monitor and routing config is below (verified working). Both firewalls are running 8.2(1).

! firewall-1
! outside ip: 172.24.219.1

sla monitor 10
type echo protocol ipIcmpEcho 172.24.219.98 interface outside
timeout 1000
frequency 3
sla monitor schedule 10 life forever start-time now

track 10 rtr 10 reachability

route outside 192.168.249.0 255.255.255.0 172.24.219.6 1 track 10
route backup 192.168.249.0 255.255.255.0 192.168.20.1 140


! firewall-3
! outside ip: 172.24.219.98

sla monitor 10
type echo protocol ipIcmpEcho 172.24.219.1 interface outside
timeout 1000
frequency 3

sla monitor schedule 10 life forever start-time now

track 10 rtr 10 reachability

route outside 192.168.254.0 255.255.255.0 172.24.219.97 1 track 10
route backup 192.168.254.0 255.255.255.0 192.168.10.1 140

Actions

This Discussion