04-06-2009 10:47 AM - edited 03-11-2019 08:15 AM
Hi,
Looking for some help with backup ISP configuration on ASA 5505.
I have attached my configs as site-a and site-b.
I have a simulated internet using a router as a frame relay switch and 4 hub/spoke routers that can all ping each other. That part of the config is fine and works a treat. I then have 2 ASA 5505 firewalls attached to the routers such that I have site-a with outside and backup interfaces and site-b with outside and backup interfaces. each side can ping the external routers as normal and I have created a site to site VPN between the networks, this works as expected. My problem starts when I disconnect either outside interface to simulate an outage of the primary ISP route, the tracking part works fine and the backup default route is installed in the routing table, however I cannot ping across the router to any external router whilst the backup route is installed. When I reinstate the primary route, it is then put back into the routing table and the connections start to work.
Not sure what I am missing, but I think it could be security policy related.
Thanks in advance for any help provided.
John Verdon.
04-07-2009 02:18 AM
I found part of the answer to my problem, I was missing the following command in the config of both sites.
global (backup) 1 interface
so now the backup route is installed into the routing table and the traffic can flow as expected.
My problem now seems to be that whilst the link drops, then the site to site vpn drops during the failover period, the vpn link fails to reconnect.
The VPN appears to be created and the VPN lights on the front of the ASA boxes is on, but no traffic flows across the VPN tunnel.
I Think this is a security policy configuration issue but not sure what is required.
Regards,
John.
04-08-2009 07:12 AM
For anybody that's interested, I managed to get this working so that the VPN tunnel is recreated if either primary ISP connection fails and if Both primary ISP connections fail at the same time. Below is the relevant section that needs to be changed, config is for Site A.
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 44.44.44.45 55.55.55.56
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto map backup_map 1 match address backup_1_cryptomap
crypto map backup_map 1 set pfs
crypto map backup_map 1 set peer 44.44.44.45 55.55.55.56
crypto map backup_map 1 set transform-set ESP-3DES-SHA
crypto map backup_map 1 set security-association lifetime seconds 120
crypto isakmp enable outside
crypto isakmp enable backup
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
I have set the SA life to 2 mins on the backup interfaces because when the primary interface is returned to normal, the VPN failed recover in a reasonable time.
Other than that along with the extra line as previous,
global (backup) 1 interface
the configs are as posted.
Hope that helps any one with a similar problem.
John.
04-08-2009 07:23 AM
Thanks for sharing! 5 points for you!
04-13-2009 07:06 AM
Hi,
Thanks for info.
Can you also post details how you configured tunnel-groups?
Is it necessary to add additional tunnel group for second peer?
04-15-2009 11:13 AM
Hi,
It is necessary to add the second tunnel groups for the backup interface. When I configured the site to site tunnels I used the VPN wizard to create the correct configuration, running it twice at each end point. It's important to note that you need to select the backup interface when creating the second tunnel group, use the same information as the primary tunnel setup.
Once you have created 2 instances (1st for primary ISP and 2nd for Backup ISP) of tunnel groups at both ends you need to edit them so that you add the remote endpoint backup interface, when you use the GUI you get an error about only being able to add the backup interface when set to 'originate-only' I set it this way and saved the config, then returned and changed it back to Bi-directional and re saved the config, this allows you to fail over to the remote backup ISP connection should it's primary fail.
The final change that needs to be made is to set the SA life to 120 seconds on the backup connections, this helps the VPN tunnels to return to the primary interfaces when they return.
Hope that helps.
John.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: