Load sharing ASA VPNs across 2 Internet connections

Unanswered Question
Sep 2nd, 2010

I have 2 new 100Mbps fiber links to a single ISP. THey are terminated on two Cisco IOS routers with BGP configured as described in Cisco document ID #13762, per the "Load sharing when dual-homed to one ISP through multiple local routers" section. That is all working as expected.

This new fully redundant connection is for a failover pair of ASA 5520s that will be terminating a large number of VPNs.

Because BGP "load shares" as opposed to round-robin, per-packet "load balancing", I planned to have two outside interfaces configured on the ASA. One for the 192.168.11.0 primary network (see the diagram in the  the Cisco doc above)  and one on the 192.168.12.0 secondary net. Then I'd point half of my remote VPN routers point to a 192.168.11.x peer address and the other half at the ASA's 192.168.12.x address. This would allow BGP to distribute the traffic from the remotes across the two links based on destination address.

Unfortunately, The ASA does not allow me to configure a default route for each of the two public interfaces. I get a default route in for one interface just fine but it won't accept another (equal cost) route for the other interface. According to ASA config guides this is the way it's supposed to be.

How can I terminate VPNs on two interfaces of the ASA and get the traffic distributed across both links, preferably by source address?

Route maps on the ASA only function for redistribution of routes via dynamic routing protocols so a simple route map can't be used. SInce my two "local" subnets are contiguous, I considered deliberately mis-configuring the ASA public interfaces' subnet masks (there really /26 each and I' make them /25) and let the "ip proxy-arp" on the routers try to sort it out, but I doubt the ASA will allow two interfaces to be configured on the same subnet.

Do I need to enable OSPF on the ASA and the Internet routers and let the routers re-distribute default routes to the ASAs? I'm not sure how the overlaid primary and secondary subnets would affect the OSPF multicast packets.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 09/02/2010 - 13:35

Do I need to enable OSPF on the ASA and the Internet routers and let the routers re-distribute default routes to the ASAs? I'm not sure how the overlaid primary and secondary subnets would affect the OSPF multicast packets.

Yes, using a routing protocol is really the only way to achieve what you want as the ASA does not support PBR. Not sure what you mean by "overlaid" subnets, can you clarify ?

Jon

darthnul Thu, 09/02/2010 - 14:31

Jon,

Thanks for the response!

By "overlaid" I mean the two logical subnets are sharing the same physical link. In this case there is a switch with only VLAN 1 configured and the subnets 192.168.11.0/24 and 192.168.12.0/24 both exist in that space. The routers both have secondary addresses as well as their 'regular' addresses on their Gi0/2 interfaces.

I'm wondering if the OSPF "hello" packets which use a multicast destination address would cause confusion since each interface running OSPF would see hellos from both subnets. If so, would statically configuring neighbors take care of that?

darthnul Fri, 09/03/2010 - 10:18

I configured OSPF on the routers and the ASA. The routers redist

ribute BGP into OSPF. I also removed the secondary IP addresses

from the router Gi0/2 interfaces and put them on the previously unused Gi0/1 interfaces. I VLAN'd the switch so I no longer have both subnets residing on a single VLAN. I removed the static default routes from the ASA.

Everything on the two local VLANs can ping everything else on the two VLANs so it's all cabled correctly. I can ping all the routers and switches from another separate Internet connection. I can still only ping one of the public ASA addresses though...

THe ASA routing table shows two default routes but they're both for the same public interface. No default for the other ASA public interface.

ASA log shows pinging one interface is normal, but when I ping the other ASA interface (the one that doesn't work) I get:

6    Sep 03 2010    11:59:28    110003    63.234.103.132    0    71.39.107.154    0    Routing failed to locate next hop for icmp from public:X.X.X.132/0 to public:71.39.107.154/0.

Jon Marshall Fri, 09/03/2010 - 14:08

darthnul wrote:

I configured OSPF on the routers and the ASA. The routers redist

ribute BGP into OSPF. I also removed the secondary IP addresses

from the router Gi0/2 interfaces and put them on the previously unused Gi0/1 interfaces. I VLAN'd the switch so I no longer have both subnets residing on a single VLAN. I removed the static default routes from the ASA.

Everything on the two local VLANs can ping everything else on the two VLANs so it's all cabled correctly. I can ping all the routers and switches from another separate Internet connection. I can still only ping one of the public ASA addresses though...

THe ASA routing table shows two default routes but they're both for the same public interface. No default for the other ASA public interface.

ASA log shows pinging one interface is normal, but when I ping the other ASA interface (the one that doesn't work) I get:

6    Sep 03 2010    11:59:28    110003    63.234.103.132    0    71.39.107.154    0    Routing failed to locate next hop for icmp from public:X.X.X.132/0 to public:71.39.107.154/0.

I may be misunderstanding what you are doing here. I thought you wanted the ASA to see 2 default routes via the 2 routers. Is this not what you want ?

Jon

darthnul Fri, 09/03/2010 - 14:42

Jon,

Nope. I want to have one ASA with two "public" interfaces on two different subnets, with each interface having a default route to the Internet. IOW, two Internet reachable addresses on a single ASA.

I have tried this several ways and I can only get one of the interfaces to work at a time. They'll both talk to hosts on their local VLAN but only one interface can get upstream. I can manipulate which interface will work, but I can't get them working at the same time.

Cisco docs say you can't have equal cost static routes for two interfaces. You can have up to 3 equal cost routes on one interface, but if you want defaults on two interfaces they have to have different costs (so only one will be in the active routing table). I don't know if it's possible to get around that ith OSPF but it hasn't looked good so far.

I'm probably going to have to break up the ASA failover pair and configure them as two stand-alones: one with a single public interface for subnet "A" and the other ASA for subnet "B". That will complicate things because I'll have to give the remote routers the capability to switch VPN peers (without going into cellular backup) in case an ASA goes out which also means configuring OSPF between the ASAs and my GRE routers so the GRE routers can keep track of the remote tunnel destination loopback addresses.

Jon Marshall Fri, 09/03/2010 - 14:51

Ahh sorry, my sincere apologies for misunderstanding.

If you weren'r running VPNs the solution would be to use multi context on the ASA pair in active/active but as far as i know the ASAs still do not support multi context with VPNs.

Yes you would need to split up the ASAs which is not ideal. Obviously routers would not have this issue, yet another limitation of the ASA devices.

Once again, apologies for wasting your time, wasn't intended,

Jon

darthnul Fri, 09/03/2010 - 15:00

Jon,

Actually, the VLANs only exist on the switches. The ASA interfaces aren't VLAN'd. I have two physical ASA ports plugged into two access ports (assigned to different VLANs) of a switch.

I've never done the multiple context thing with ASAs, or active/active failover. I wonder if I can learn that by Tuesday... What's on the reccomended reading list for that?

               Thanks for your help    ..jgm

Jon Marshall Fri, 09/03/2010 - 15:03

darthnul wrote:

Jon,

Actually, the VLANs only exist on the switches. The ASA interfaces aren't VLAN'd. I have two physical ASA ports plugged into two access ports (assigned to different VLANs) of a switch.

I've never done the multiple context thing with ASAs, or active/active failover. I wonder if I can learn that by Tuesday... What's on the reccomended reading list for that?

               Thanks for your help    ..jgm

It's not vlans it's VPNs ie. when running in multi context mode the ASAs do not support VPNs.

Jon

darthnul Fri, 09/03/2010 - 15:06

Thanks, it's been a long week...

I think my brain didn't want to see "VPNs" because that's all we use the ASAs for. We don't use 'em for firewalling , just for VPNs. Our firewalls are about the only non-Cisco hardware on our network.

               ...jgm

darthnul Fri, 09/03/2010 - 15:03

OOPS!

I must've read "VLANs" where you wrote "VPNs".

                    ...jgm

Actions

This Discussion