I have the following configuration setup:
Cisco 1811 (Client Router)
Fa0 - Internal Network 192.168.0.0/24
Fa1 - Primary ISP connection, we'll call it 18.104.22.168
Fa2 - Vlan 800
Vlan 800 - Secondary ISP connection, we'll call it 22.214.171.124
ASA 5580 running 8.2
Outside interface we'll call 126.96.36.199
crypto map 5 set peer 188.8.131.52 184.108.40.206
crypto map 5 match address test_network
I have a tunnel-group defined for both 220.127.116.11 and 18.104.22.168
Now for the issue. I have the 1811 setup with SLA tracking. I use a default route-map to make sure that the ICMP goes out of Fa1 at all times and I track the default route with this. I have a floating weighted 250 default route pointing to the backup ISP.
While both networks are reachable, I can create the tunnel using the primary ISP to 22.214.171.124 (from 126.96.36.199). I can ping across the tunnel without issue. I can then simulate an outage of the primary ISP and the secondary route will kick in. I ping across the tunnel again, and on the ASA I can see a new ISAKMP connection has been established. Looking on the 1811, I see (2) QM_IDLE isakmp connections.
While the primary link is down, I can still ping across the tunnel without issue. The primary isakmp session on the 1811 never drops off but on the ASA it does in fact get removed. The ASA only has an established connection to 188.8.131.52. Once the primary link recovers and the default route is back out the primary ISP connection, the tunnel never recovers. The ASA appears to think that the secondary ISP is the active connection still and the routing doesn't work across the tunnel because the 1811 is trying to send data out the primary ISP.
Is there a way to do the following:
- When the primary ISP goes down on the 1811, the established tunnel is dropped
- When the primary ISP comes back up on the 1811, the ASA can re-establish the connection using the primary link (or the backup tunnel on the 1811 is disconnected)?
Is this even possible to do on a single router (2 ISP links) or can it only be done using 2 routers?
Let me know if I need to explain a bit better or if any configuration details are needed.
By having IP SLA tracking on the 1811, as soon as the tracking is down, the second tunnel should establish. (this also means that by enabling keepalives on both ends they should notice that the primary tunnel is not active and bring it down on both ends).
The keepalives will constantly monitor the other peer's health, so this should help you for both questions.