Terminate RA VPN clients on 2nd Intfc from different ISP?

Unanswered Question

Our ASA 5520 was used to terminate VPN clients only.  Today I terminated a 2nd ISP connection on another interface and made that the default interface on the firewall.

As soon as I did that, VPN connections no longer connected to the original interface, I'm assuming because the response packets are now exiting via the new default interface.    I had thought that the reverse-route command would take care of this issue but it doesn't apear to be doing the trick.

Is this dual-ISP configuration possible?  How to get the ASA to respond to VPN connection attempts on the non-default interface?

Thanks in advance for any suggestions!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
athukral Sun, 08/22/2010 - 08:26


Hope  you must be doing good!

Well yes scenrio is possible, could you please attach the configuration and  i will suggest you the work around accordingly..




Hopefully the attached config gives enough information.   Interface Outside2 is the one I added and set as the default route.  It worked fine but the VPN client connections on Outside then stopped negotiating.  As you can see, I've set 'Outside' back to default for the time being and generic web traffic is using another firewall for the time being.

Nagaraja Thanthry Sun, 08/22/2010 - 08:55


Can you please try this command on the firewall:

route outside2

Hope this helps.



Thankyou for the suggestion.

I did add the route but I'm afraid we're failing during the initial ISAKMP negotiation before the 192.168.252.x address is even applied.  The firewall log simply shows 'duplicate Phase 1 packet detected' which probably means that ASA's  ISAKMP response is going out the new default interface (outside2) and the remote system is not accepting it.

'Outside' is the interface the VPN traffic comes in on and 'Outside2' is the new general route to the internet.  The config I sent you reflects my change back to the original route to allow VPN users to connect.  Sorry for the confusion.

Nagaraja Thanthry Sun, 08/22/2010 - 08:57


Also, you might want to remove the RRI configuration as that will install

host routes. And when the router looks up the host routes, the next hop will

be visible via the default route.




This Discussion