BRING INSIDE INTERFACE UP WHEN NOTHING CONNECTED

Unanswered Question
Nov 26th, 2013
User Badges:

Hi All,


BACKGROUND

We have an ASA on site that is running VPN connectivity out to the web from head office location. Accordingly, we having nothing plugged into the inside interface just the Outside interface where we interconnect to the web. The ASA is configured with a site to site VPN between sites for mainly remote access and off site syslogging.


PROBLEM

We have configured the VPN with the inside network address, in this example 172.24.0.0/24 and the isakmp and Crypto Map bound to the Outside interface. However, when we try to bring up the tunnel we get the message "inside interface down" which we would expect as there is no physical device connected to the ethernet port to bring it up. On IOS routers we can use the command "No autostate" to stop virtual interfaces going down, but how can we fix this problem on the ASA?


Any help appreciated.


thanks,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Tue, 11/26/2013 - 04:43
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Could you clarify the setup a bit more or even provide configuration and picture of topology?


I am not sure why you would configure a device with a L2L VPN where the source address are located behind an interface that is not even up?


If the ASA uses the "outside" interface for all the traffic (through the use of VPN connections) then the new L2L VPN connection would probably need to be tested through another VPN connection.


Though I have to say that I am not sure if I have understood the situation completely


To my understanding there is no similiar way to keep an interface up on an ASA like its with the Routers / L3 switches for example. I once did this on an ASA5505 by connecting 2 ASA ports together with different Vlan IDs. Had to be carefull not to make the wrong connection or the ASA would get overwhelmed by broadcasts.



- Jouni

tech01cisco Tue, 11/26/2013 - 05:15
User Badges:

Hi Jouni,


Yes, probably not the best description we have ever given. Anyway, the ASA is onsite to provide internet access for remote VPN users so there is no onsite LAN set up. The reason we have set up a site to site is purely for syslog messages that are required to be logged offsite for corporate purposes. The main thing is getting syslogging offsite to a remote server which I guess could be achieved without the VPN. Hope this clarifies our requirements.we use SSH for management of the ASA.


Thanks,

Jouni Forss Tue, 11/26/2013 - 05:33
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I am still confused about the fact how the user connect to the VPN device to get Internet connection if they are already using an Internet connection to connect to the VPN device? (As you say it only has an external connection)


I would understand the setup if the external VPN users connecting to the device would need to show up to the external network with the VPN devices public IP address to get access to some remote resources that are opened only for this VPN devices public IP address but if its not that then I am still not sure what the setup is doing.


If your only problem is getting the L2L VPN connection working for the purpose of sending Syslog from the device itself to the central server through the L2L VPN then you should configure the VPN devices external public IP address as the local address for the L2L VPN (only that IP address) and configure the "logging" configurations to use the "outside" interface so the device will use the public IP address as the source. The device should then tunnel the Syslog traffic through the L2L VPN, provided that the L2L VPN comes up ofcourse but I guess it should if you use some commands to generate log messages or form connections that generate logs messages.


- Jouni

Actions

This Discussion