Backup Peer on ASA not working when on peer 2

Answered Question

Running ASA 5505 with version 8.2(2).


I have configured a backup peer with this crypto configuration:


access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.
0.1.0 255.255.255.0


crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_1_cryptomap
crypto map outside_map 2 set peer Y.Y.Y.Y
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400


The tunnel work fine when on peer 1, X.X.X.X (pinging between hosts at 192.168.1.2 and 10.0.1.3  on the private networks).  When it switches over to peer 2, Y.Y.Y.Y  the tunnel comes back up with Y.Y.Y.Y as the end-point as verified in 'show crypto ipsec sa'.  However I cannont pass any traffic across when peer 2 is up.  Note that the peer on the other side is a multi-WAN device and has X.X.X.X and Y.Y.Y.Y attached and the failure is created by unplugging X.X.X.X from the device..


When I run an ASA packet-trace command using ICMP (packet-trace input inside icmp 192.168.1.2 8 0 10.0.1.3 detail) at Phase 12 it drops the packet when it starts to encrypt the packet. With crypto debugs on it matches the crypto ACL early on in the Phases (Phase 3) so I know the packet is headed to the tunnel.  See failure below.  It says Flow is denied by configured rule.


Phase: 12
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd8a5bc30, priority=70, domain=encrypt, deny=false
        hits=420, user_data=0x0, cs_id=0xd8a5b548, reverse, flags=0x0, protocol=0
        src ip=192.168.1.0, mask=255.255.255.0, port=0
        dst ip=10.0.1.0, mask=255.255.255.0, port=0, dscp=0x0


Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


I tried debug acl filter, but can't get the level above 1.


Any ideas on what else I need in the config or what else I can use to debug?

Correct Answer by manish arora about 6 years 9 months ago

Have you tried, placing  both the set peer statement under the same outside map :-

crypto map outside_map 1 set peer x.x.x.x

crypto map outside_map 1 set peer y.y.y.y


i need to do that on one of my firewall , but i got that information from cisco Tac  ( verbly -- did not implement yet ) that it works well that way.


Hope it helps

Manish

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
manish arora Fri, 07/16/2010 - 12:10
User Badges:
  • Silver, 250 points or more

Have you tried, placing  both the set peer statement under the same outside map :-

crypto map outside_map 1 set peer x.x.x.x

crypto map outside_map 1 set peer y.y.y.y


i need to do that on one of my firewall , but i got that information from cisco Tac  ( verbly -- did not implement yet ) that it works well that way.


Hope it helps

Manish

Manish,


That worked, thanks!  I removed all the crypto map 2 and added the second peer to the peer config.  Here is the new crypto configuration:


crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer X.X.X.X  Y.Y.Y.Y
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400


Works great, my ping across the tunnel doesn't even miss a beat when I pull the X.X.X.X cable.


BTW the peer firewall appliance is a WatchGuard X750e with multi-wan capabilities where X.X.X.X is a Comcast connection in port 0 and Y.Y.Y.Y is a Qwest connection is port 2 (port 1 is the trusted interface).  The Cisco ASA is sitting in a datacenter providing access to some file servers and only has one Internet connection.


Thanks again.

manish arora Fri, 07/16/2010 - 13:43
User Badges:
  • Silver, 250 points or more

Hey ! thank you for testing , now i can implement it without getting worried.

thanks

Actions

This Discussion