Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA - IPSEC and OSPF issue

Hello!

We are using Cisco871 at branches and ASA5520 in router mode at central office. VPN3000 used to terminate IPSEC connections. I trying to implement backup links with OSPF and 'crypto map local-address' feature. Config at Cisco 871 looks like this:

--------

interface Loopback1

ip address 172.16.255.10 255.255.255.255

crypto map VPN local-address Loopback1

crypto map VPN 10 ipsec-isakmp

set peer 10.1.5.1

set transform-set TRANSFORM_SET

match address VPN_TRIGGER

interface FastEthernet1

description MAIN LINK

ip address 172.16.1.10 255.255.255.0

crypto map VPN

interface FastEthernet2

description BACKUP LINK

ip address 172.16.2.10 255.255.255.0

crypto map VPN

router ospf 1

log-adjacency-changes

redistribute connected subnets

network 172.16.1.0 0.0.0.255 area 1.1.1.1

network 172.16.2.0 0.0.0.255 area 2.2.2.2

--------

172.16.255.10 configured as peer adress for tunnel on VPN3000.

IPSEC tunnel works fine; 172.16.255.10 is accessible.

ciscoasa# sh route | b 172.16.255

O E2 172.16.255.10 255.255.255.255

[110/20] via 172.16.160.10, 0:04:26, link1

ciscoasa# sh conn detail | i 172.16.255.10

ESP dmz:10.1.5.1/41767 link1:172.16.255.10/56656

ESP dmz:10.1.5.1/4405 link1:172.16.255.10/38401

UDP dmz:10.1.5.1/500 link1:172.16.255.10/500 flags -

Lets shutdown one active link:

ciscoasa# sh route | b 172.16.255

O E2 172.16.255.10 255.255.255.255

[110/20] via 172.16.0.27, 0:00:15, link2

ciscoasa# sh conn detail | i 172.16.255.10

UDP dmz:10.1.5.1/500 link1:172.16.255.10/500 flags -

172.16.255.10 now accessible via 'link2' interface, but UPD/500 connections is still bound to 'link1' interface..

Is it bug or feature? I suppose its feature. Is it possible to turn off that 'bind connection to interface' feature?

Maybe there are better solutions about backup links? For example, should I use some ISR to terminate OSPF on it (then 172.16.255.10 won't jump from one interface to another). Or, maybe, I should use two different IPSEC tunnels and run routing protocol inside them?

2 REPLIES
Silver

Re: ASA - IPSEC and OSPF issue

Check the ASA configuration especially VPN related config.

New Member

Re: ASA - IPSEC and OSPF issue

ASA isn't involved directly into VPN, its used as router and (statefull) firewall here. Problem is in the firewall states and dynamic routing.

271
Views
0
Helpful
2
Replies
CreatePlease to create content