Site-to-site VPN Failover with ISP Failover

msingh2007 · ‎04-16-2013

Hello

I am using the Cisco ASA 5520 with Software Version 8.2(3). I have several site-to-site VPN connections and two separate ISP connections. I have set up the SLA tracker for the dual ISP so that if one fails the other one takes over. But I don't know how to do the same for the site-to-site IPSec VPN tunnels. I have read a few discussions on the Cisco Support Community but I am really confused about what to do. I have two outside interfaces: outside and WAN2. I understand you can only apply the crypto to one interface so how would I make the change to allow the VPN to failover when the primary ISP were to fail?

Here is my configuration for the cryptos and SLA tracker:

crypto map outside_map 10 match address ACL_VPN_1

crypto map outside_map 10 set pfs

crypto map outside_map 10 set peer x.x.x.x x x.x.x.x

crypto map outside_map 10 set transform-set NAME_SET

crypto map outside_map 10 set security-association lifetime seconds 28800

crypto map outside_map 10 set security-association lifetime kilobytes 4608000

crypto map outside_map 20 match address ACL_VPN_2

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer x.x.x.x x

crypto map outside_map 20 set transform-set NAME_SET2

crypto map outside_map 20 set security-association lifetime seconds 28800

crypto map outside_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map interface outside

route outside 0.0.0.0 0.0.0.0 100.100.100.100 1 track 1

route WAN2 0.0.0.0 0.0.0.0 200.200.200.200 254

track 1 rtr 123 reachability

sla monitor 123

type echo protocol ipIcmpEcho 8.8.8.8 interface outside

num-packets 3

timeout 1000

frequency 3

sla monitor schedule 123 life forever start-time now

Thank you!!

Jouni Forss · ‎04-16-2013

Hi,

I configured a lab for this sometime ago and to my understanding the main things you have to take care of are

Attach the Crypto Map to both of the WAN interfaces
Configure the appropriate NAT required by the VPN
Make sure the interface/default route tracking works
That L2L VPN remote peers have configured both of your WAN interface IP addresses as their peer IP address for the L2L VPN connection in question

Here is the link to 8.2 software command that attaches the Crypto Map to the interface

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2237953

In the above situation you have all the configuration under the single Crypto Map with different sequence numbers. Therefore you should be able to attach this Crypto Map to any interface you want and to multiple interfaces if you want.

I think the actual limitation was that you can only attach one Crypto Map to a single interface.

I might be able to look at my lab configuration later today and post it for you to compare.

- Jouni

msingh2007 · ‎04-16-2013

Hello Jouni

That was valuable information. I just want to know how to attach the crypto map to more than one interface. Everything else I have figured out without any problems.

If you could look into that for me I would really appreciate it!!

Thanks

Jouni Forss · ‎04-16-2013

Hi,

Here is configurations from my Lab ASA5520 with Dual ISP

interface GigabitEthernet0/0

description Primary ISP

nameif WAN-1

security-level 0

ip address 192.168.101.2 255.255.255.0

!

interface GigabitEthernet0/1

description Secondary ISP

nameif WAN-2

security-level 0

ip address 192.168.102.2 255.255.255.0

!

interface GigabitEthernet0/2

description LAN

nameif LAN

security-level 100

ip address 10.0.20.2 255.255.255.0

route WAN-1 0.0.0.0 0.0.0.0 192.168.101.1 1 track 200

route WAN-2 0.0.0.0 0.0.0.0 192.168.102.1 254

route LAN 10.0.0.0 255.255.255.0 10.0.20.1 1

access-list L2L-VPN-CRYPTOMAP remark Encryption Domain

access-list L2L-VPN-CRYPTOMAP extended permit ip 10.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list LAN-NAT0 extended permit ip 10.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0

nat (LAN) 0 access-list LAN-NAT0

sla monitor 200

type echo protocol ipIcmpEcho 192.168.101.1 interface WAN-1

num-packets 3

timeout 1000

frequency 5

sla monitor schedule 200 life forever start-time now

track 200 rtr 200 reachability

crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map CRYPTOMAP 10 match address L2L-VPN-CRYPTOMAP

crypto map CRYPTOMAP 10 set peer 192.168.103.2

crypto map CRYPTOMAP 10 set transform-set AES-256

crypto map CRYPTOMAP interface WAN-1

crypto map CRYPTOMAP interface WAN-2

crypto isakmp enable WAN-1

crypto isakmp enable WAN-2

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800

tunnel-group 192.168.103.2 type ipsec-l2l

tunnel-group 192.168.103.2 ipsec-attributes

pre-shared-key *****

Hope this helps

- Jouni

zyang · ‎07-23-2013

If you can attach the same crypto map to multiple interfaces, can you create multiple crypto maps and attach them to individual interfaces? For example a crypto map for each interface (crypto map WAN1 & crypto map WAN2).

Also what would be the pros and cons of doing it this way? Does a new crypto map eat up more resources? Or is it generally always better to have just one crypto map?