Don't work ASA (Standby) using VPN IPSEC with FAILOVER

monter_85 · ‎08-29-2015

Hello,

I'm configuring a VPN IPSEC using FAILOVER. T hava three ASAs. Of these three, two are configuring with FAILOVER and VPN IPSEC. Another only with IPSEC.

The problem is when the ASA has configured how Active is shutdown. The another ASA stanby don't wor with VPN IPsec. I don't know where is the problem.

data of my network

LAN1 (Inside) - 192.168.1.0/24

LAN2 (Inside) -192.168.2.0/24

LAN - OUTSIDE 200.200.200.0/24

LAN -FAILOVER 192.168.99.0/24

And this is my configuration:

ASA (Acive)

hostname ACTIVE-ASA
interface gigabitEthernet 2
no shutdown
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet2
failover link FAILOVER GigabitEthernet2
failover interface ip FAILOVER 192.168.99.1 255.255.255.0 standby 192.168.99.3
failover
interface GigabitEthernet 1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.3
no shutdown
interface GigabitEthernet 0
nameif outside
security-level 0
ip address 200.200.200.1 255.255.255.0 standby 200.200.200.3
no shutdown
monitor-interface inside
monitor-interface outside
route outside 0.0.0.0 0.0.0.0 200.200.200.2
access-list LAN1-to-LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
object network obj-local
subnet 192.168.1.0 255.255.255.0
object network obj-remote
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote no-proxy-arp
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 3600
crypto ikev1 enable outside
crypto isakmp identity address
tunnel-group 200.200.200.2 type ipsec-l2l
tunnel-group 200.200.200.2 ipsec-attributes
ikev1 pre-shared-key cisco123
crypto ipsec ikev1 transform-set ASA1TS esp-aes-192 esp-sha-hmac
crypto map ASA1VPN 10 match address LAN1-to-LAN2
crypto map ASA1VPN 10 set peer 200.200.200.2
crypto map ASA1VPN 10 set ikev1 transform-set ASA1TS
crypto map ASA1VPN 10 set security-association lifetime seconds 3600
crypto map ASA1VPN interface outside

ASA (Standby)

interface GigabitEthernet 2
no shutdown
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet2
failover link FAILOVER GigabitEthernet2
failover interface ip FAILOVER 192.168.99.1 255.255.255.0 standby 192.168.99.3
failover

ASA -2

hostname ASA-2
interface GigabitEthernet 0
nameif outside
ip addr 200.200.200.2 255.255.255.0
no shutdown
interface GigabitEthernet 1
nameif inside
ip addr 192.168.2.1 255.255.255.0
no shutdown
route outside 0 0 200.200.200.1
access-list LAN2-to-LAN1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
object network obj-local
subnet 192.168.2.0 255.255.255.0
object network obj-remote
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote no-proxy-arp
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 3600
crypto ikev1 enable outside
crypto isakmp identity address
tunnel-group 200.200.200.1 type ipsec-l2l
tunnel-group 200.200.200.1 ipsec-attributes
ikev1 pre-shared-key cisco123
crypto ipsec ikev1 transform-set ASA2TS esp-aes-192 esp-sha-hmac
crypto map ASA2VPN 10 match address LAN2-to-LAN1
crypto map ASA2VPN 10 set peer 200.200.200.1
crypto map ASA2VPN 10 set ikev1 transform-set ASA2TS
crypto map ASA2VPN 10 set security-association lifetime seconds 3600
crypto map ASA2VPN interface outside

I don't know

pjain2 · ‎09-02-2015

Hello,

When the standby becomes active, please provide the output of the following fro both the ASA's:

show failover

show failover state

sh int ip brief

show crypto isakmp sa

apply the following debugs on the active device:

debug crypto condition peer 200.200.200.1

debug crypto isakmp 127

debug crypto ipsec 127

monter_85 · ‎09-03-2015

Hello,

ASA-1:

Interface G0 is shutdown

Interface G1 is no shutdown

Interface G2 is no shutdown (interface FAILOVER)

ASA-3: Changed to Active and in the ASA-3 shows the next warning:

**** WARNING ****
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.

show the commands that you told me:

ACTIVE-ASA# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAILOVER GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 15:35:33 UTC Sep 3 2015
This host: Secondary - Standby Ready
Active time: 0 (sec)
Interface outside (200.200.200.3): Link Down (Waiting)
Interface inside (192.168.1.3): Testing (Waiting)
Other host: Primary - Active
Active time: 1631 (sec)
Interface outside (200.200.200.1): Link Down (Waiting)
Interface inside (192.168.1.1): Normal (Waiting)

Stateful Failover Logical Update Statistics
Link : FAILOVER GigabitEthernet2 (up)
Stateful Obj xmit xerr rcv rerr
General 213 0 233 0
sys cmd 213 0 213 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 2 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 4 0
VPN IKEv1 P2 0 0 4 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 0 0 10 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 3 2533
Xmit Q: 0 1 213

ACTIVE-ASA# sh failover state

State Last Failure Reason Date/Time
This host - Secondary
Standby Ready Ifc Failure 15:54:15 UTC Sep 3 2015
Other host - Primary
Active None

====Configuration State===
Sync Done - STANDBY
====Communication State===
Mac set

ACTIVE-ASA# show interface ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0 200.200.200.3 YES CONFIG administratively down up
GigabitEthernet1 192.168.1.3 YES CONFIG up up
GigabitEthernet2 192.168.99.3 YES unset up up
GigabitEthernet3 unassigned YES unset administratively down up
ACTIVE-ASA# show cry
ACTIVE-ASA# show crypto is
ACTIVE-ASA# show crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

on ASA-1 after to convert to standby because fail interface g0

ACTIVE-ASA# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 15:35:38 UTC Sep 3 2015
This host: Primary - Active
Active time: 2431 (sec)
Interface outside (200.200.200.1): Link Down (Waiting)
Interface inside (192.168.1.1): Unknown (Waiting)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface outside (200.200.200.3): Link Down (Waiting)
Interface inside (192.168.1.3): Unknown (Waiting)

Stateful Failover Logical Update Statistics
Link : FAILOVER GigabitEthernet2 (up)
Stateful Obj xmit xerr rcv rerr
General 339 0 319 0
sys cmd 319 0 319 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 2 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 4 0 0 0
VPN IKEv1 P2 4 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
User-Identity 10 0 0 0

Logical Update Queue Information
Cur Max Total
Recv Q: 0 2 319
Xmit Q: 0 3 3570

ACTIVE-ASA# sh failover state

State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Standby Ready Ifc Failure 15:54:14 UTC Sep 3 2015
inside: Failed

====Configuration State===
Sync Done
====Communication State===
Mac set

ACTIVE-ASA# show interface ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0 200.200.200.1 YES CONFIG administratively down up
GigabitEthernet1 192.168.1.1 YES CONFIG up up
GigabitEthernet2 192.168.99.1 YES unset up up
GigabitEthernet3 unassigned YES unset administratively down up
ACTIVE-ASA#

Thanks for help me.

pjain2 · ‎09-03-2015

from the attached config, I can see that the primary device is active; you mentioned that the tunnels do not come up when the secondary is active.Am i correct?

monter_85 · ‎09-03-2015

Yes, the tunnel VPN IPsec don't work when the secondary ASA is active.
Overview:
If configured ASA-1(Active) and ASA-3 (Passive) (they are how failover) and after configure VPN IPsec with the other ASA (ASA-2). And ASA-1 (Active) is running. The tunnel VPN IPSec works.

But if :

* ASA-1 is shutdown => tunnel doesn't work with ASA-3 (Change to active)

* Interface g1 (inside) of ASA-1 is shutdown => tunnel doesn't work with ASA-3 (Change to active)

* Interface g0 (outside) => tunnel doesn't work with ASA-3 (Change to active)
I think that the LAN FAILOVER doesn't working, but I don't know how to repair.

Do I have that configured the VPN IPSEC on ASA-3 (Standby)?, I think that only I have configure the interface Failover (g2) on ASA-3 .

pjain2 · ‎09-03-2015

try shutting down gi0/0 on ASA1, then the ASA3 will become active.

apply the following debugs on the active device:

debug crypto condition peer <peer ip of ASA2>

debug crypto isakmp 127

debug crypto ipsec 127

monter_85 · ‎09-04-2015

Hello,

The problem is: the ping don't work between ASA-2 and ASA-3 when ASA-1 is shutdown.

I'm trying resolve ...

If you see of error, please write me.