cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
422
Views
0
Helpful
5
Replies

Terminate RA VPN clients on 2nd Intfc from different ISP?

craig
Level 1
Level 1

Our ASA 5520 was used to terminate VPN clients only.  Today I terminated a 2nd ISP connection on another interface and made that the default interface on the firewall.

As soon as I did that, VPN connections no longer connected to the original interface, I'm assuming because the response packets are now exiting via the new default interface.    I had thought that the reverse-route command would take care of this issue but it doesn't apear to be doing the trick.

Is this dual-ISP configuration possible?  How to get the ASA to respond to VPN connection attempts on the non-default interface?

Thanks in advance for any suggestions!

5 Replies 5

athukral
Level 1
Level 1

Hello,

Hope  you must be doing good!

Well yes scenrio is possible, could you please attach the configuration and  i will suggest you the work around accordingly..

Thanks

Ankur

Thanks.

Hopefully the attached config gives enough information.   Interface Outside2 is the one I added and set as the default route.  It worked fine but the VPN client connections on Outside then stopped negotiating.  As you can see, I've set 'Outside' back to default for the time being and generic web traffic is using another firewall for the time being.

Hello,

Can you please try this command on the firewall:

route outside2 192.168.252.0 255.255.255.0

Hope this helps.

Regards,

NT

Thankyou for the suggestion.

I did add the route but I'm afraid we're failing during the initial ISAKMP negotiation before the 192.168.252.x address is even applied.  The firewall log simply shows 'duplicate Phase 1 packet detected' which probably means that ASA's  ISAKMP response is going out the new default interface (outside2) and the remote system is not accepting it.

'Outside' is the interface the VPN traffic comes in on and 'Outside2' is the new general route to the internet.  The config I sent you reflects my change back to the original route to allow VPN users to connect.  Sorry for the confusion.

Hello,

Also, you might want to remove the RRI configuration as that will install

host routes. And when the router looks up the host routes, the next hop will

be visible via the default route.

Regards,

NT

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: