08-22-2010 07:53 AM - edited 03-11-2019 11:29 AM
Our ASA 5520 was used to terminate VPN clients only. Today I terminated a 2nd ISP connection on another interface and made that the default interface on the firewall.
As soon as I did that, VPN connections no longer connected to the original interface, I'm assuming because the response packets are now exiting via the new default interface. I had thought that the reverse-route command would take care of this issue but it doesn't apear to be doing the trick.
Is this dual-ISP configuration possible? How to get the ASA to respond to VPN connection attempts on the non-default interface?
Thanks in advance for any suggestions!
08-22-2010 08:26 AM
Hello,
Hope you must be doing good!
Well yes scenrio is possible, could you please attach the configuration and i will suggest you the work around accordingly..
Thanks
Ankur
08-22-2010 08:46 AM
Thanks.
Hopefully the attached config gives enough information. Interface Outside2 is the one I added and set as the default route. It worked fine but the VPN client connections on Outside then stopped negotiating. As you can see, I've set 'Outside' back to default for the time being and generic web traffic is using another firewall for the time being.
08-22-2010 08:55 AM
Hello,
Can you please try this command on the firewall:
route outside2 192.168.252.0 255.255.255.0
Hope this helps.
Regards,
NT
08-22-2010 09:14 AM
Thankyou for the suggestion.
I did add the route but I'm afraid we're failing during the initial ISAKMP negotiation before the 192.168.252.x address is even applied. The firewall log simply shows 'duplicate Phase 1 packet detected' which probably means that ASA's ISAKMP response is going out the new default interface (outside2) and the remote system is not accepting it.
'Outside' is the interface the VPN traffic comes in on and 'Outside2' is the new general route to the internet. The config I sent you reflects my change back to the original route to allow VPN users to connect. Sorry for the confusion.
08-22-2010 08:57 AM
Hello,
Also, you might want to remove the RRI configuration as that will install
host routes. And when the router looks up the host routes, the next hop will
be visible via the default route.
Regards,
NT
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: