I have an ASA 5510 with two interfaces that connect to the internet. One is a 150/65Mbps link, which is our primary connection, and the other is a T1, which is our backup. Last week, I started testing to get everything migrated over to our T1 in preparation for an IP block change on our primary connection that can only be done during business hours. Since we have a bunch of IP Phones, I need to keep the VPNs up during this cut, hence moving everything to the T1.
The problem is, no matter what I did, I could not get anything to connect to the IPSec VPN on the T1. I discovered by accident that when I added a static route for the IP of the client that sent the traffic over the T1, the client was able to connect. This was a 'user' VPN, not a site to site. That told me that for whatever reason, the ASA was sending return traffic out the wrong interface.
I then planned to turn IPSec off on the main interface figuring if IPSec is disabled, it won't be able to send that traffic out the main interface. Not so much. I got the 'user' vpns working by adding static route entries in. Moving on to the L2L connections, it got really crazy. The problem I was having was it would not even build the tunnel. I then discovered that even though there was a static route for the endpoint set up, and a match address for the remote network to match it to a tunnel that terminated at the endpoint to which I had a static route, the ASA was trying to send the traffic out the primary interface. In order to get the L2L VPNs working, I had to have a route for the PRIVATE network pointing at the T1's gateway in addition to the remote endpoint's public IP. Only then would it pass traffic.
The really ridiculous thing is it seems IPSec is the ONLY traffic that the ASA can't handle routing properly without these static routes, which really aren't an option long term. All Static NAT entries work properly through the T1 when the primary connection is up. The AnyConnect SSL VPN works properly through the T1 when the primary connection is up.
Is there any way to make the IPSec connection work on either interface without adding static routes for them? One would think that the ASA would be able to handle sending return traffic back out the interface it was received on. The ASA saying 'Well, I received these packets on Interface 2, but I'm going to send my replies out Interface 1' makes no sense. The default route is supposed to be for traffic that doesn't match anything else. The ASA should be smart enough to be able to match the reply packets with the received packets and match them up with the interface the packets were received on and then use the route that best matches that interface.