ASA 5505 + Security Plus License & backup ISP config
Looking for some help with backup ISP configuration on ASA 5505.
I have attached my configs as site-a and site-b.
I have a simulated internet using a router as a frame relay switch and 4 hub/spoke routers that can all ping each other. That part of the config is fine and works a treat. I then have 2 ASA 5505 firewalls attached to the routers such that I have site-a with outside and backup interfaces and site-b with outside and backup interfaces. each side can ping the external routers as normal and I have created a site to site VPN between the networks, this works as expected. My problem starts when I disconnect either outside interface to simulate an outage of the primary ISP route, the tracking part works fine and the backup default route is installed in the routing table, however I cannot ping across the router to any external router whilst the backup route is installed. When I reinstate the primary route, it is then put back into the routing table and the connections start to work.
Not sure what I am missing, but I think it could be security policy related.
For anybody that's interested, I managed to get this working so that the VPN tunnel is recreated if either primary ISP connection fails and if Both primary ISP connections fail at the same time. Below is the relevant section that needs to be changed, config is for Site A.
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 22.214.171.124 126.96.36.199
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto map backup_map 1 match address backup_1_cryptomap
crypto map backup_map 1 set pfs
crypto map backup_map 1 set peer 188.8.131.52 184.108.40.206
crypto map backup_map 1 set transform-set ESP-3DES-SHA
crypto map backup_map 1 set security-association lifetime seconds 120
crypto isakmp enable outside
crypto isakmp enable backup
crypto isakmp policy 10
I have set the SA life to 2 mins on the backup interfaces because when the primary interface is returned to normal, the VPN failed recover in a reasonable time.
Other than that along with the extra line as previous,
It is necessary to add the second tunnel groups for the backup interface. When I configured the site to site tunnels I used the VPN wizard to create the correct configuration, running it twice at each end point. It's important to note that you need to select the backup interface when creating the second tunnel group, use the same information as the primary tunnel setup.
Once you have created 2 instances (1st for primary ISP and 2nd for Backup ISP) of tunnel groups at both ends you need to edit them so that you add the remote endpoint backup interface, when you use the GUI you get an error about only being able to add the backup interface when set to 'originate-only' I set it this way and saved the config, then returned and changed it back to Bi-directional and re saved the config, this allows you to fail over to the remote backup ISP connection should it's primary fail.
The final change that needs to be made is to set the SA life to 120 seconds on the backup connections, this helps the VPN tunnels to return to the primary interfaces when they return.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...