06-20-2014 03:01 AM - edited 03-11-2019 09:21 PM
Hi
Community.
I've successfully setup ISP Failover. Now all the traffic (internet and VPN) goes over ISP1 and if the connection fails to ISP1 it goes to ISP2.
But I like to have a different setup. All the internet traffic should go to ISP1 and all the VPN traffic should go to ISP2, but with Failover functionality.
That means. If ISP1 fails the internet traffic goes to ISP2. And if ISP2 fails the VPN Traffic goes to ISP1.
Is that possible ?
Best Regards patrick
Solved! Go to Solution.
06-24-2014 05:01 AM
S 33.33.33.33 255.255.255.255 [2/0] via 212.12.12.12, OUT2
S* 0.0.0.0 0.0.0.0 [1/0] via 212.12.12.12, OUT1
I am wondering if the Static route administrative distance is taking precedence over your 33.33.33.33 static route with AD of 2 even though it is a more specific route.
Try setting the 33.33.33.33 static route to have an AD of 1
route OUT2 33.33.33.33 255.255.255.255 211.11.11.9 1
You posted the correct config earlier...so I am not sure why it is showing up as 2.
--
Please remember to select a correct answer and rate helpful posts
06-24-2014 05:19 AM
Yeah am wondering the same.... how it shows the metric of 2 for a static route.... it should show 1/0
Gateway of last resort is 10.0.0.1 to network 0.0.0.0
S 2.2.2.2 255.255.255.255 [1/0] via 20.0.0.1, out
C 20.0.0.0 255.255.255.0 is directly connected, out2
C 10.0.0.0 255.255.255.0 is directly connected, out
S* 0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, out
S 0.0.0.0 0.0.0.0 [255/0] via 20.0.0.1, out2
ciscoasa(config)#
Even in my lab its showing 1/0....
But i doubt with the behaviour of pppoe here.....
Regards
Karthik
06-24-2014 05:57 AM
That was a typo. But if I change it to AD 1, its the same.
I did a write erase and start over the config. But only the relevant config. And i have still the same problem. Should i try to upgrade to the newest ASA Software?
06-24-2014 06:01 AM
Yes, an upgrade of the software would be my next suggestion.
--
Please remember to select a correct answer and rate helpful posts
06-24-2014 06:32 AM
Hi Patrick,
I guess we need to tweak something related to the PPPoE.... you have one isp with pppoe and other with ethernet..... We need to get this clarified before we go with OS upgrade option....
Regards
Karthik
06-24-2014 09:59 AM
Even i have posted this query in ask expert discussion. Lets see how best we can solve this.
Regards
Karthik
06-25-2014 05:49 AM
Hi Karthik.
I did it like you instruct me to do :-) And now i have the cryptos in the right order. But still the same problem the VPN still goes out the wrong interface.
And guess what, if you write the config to the startup and reboot the ASA, The cryptos are again in the wrong order.
I try now to change the nameif OUT2 and OUT1.
I still thinking about a Bug on the Software.
Thanks Patrick
06-25-2014 06:06 AM
So i changed the nameif's too. Now the Vlans looks like this:
interface Vlan2
description *** BACKUP ***
no forward interface Vlan1
nameif OUT2
security-level 0
pppoe client vpdn group pppoex
ip address pppoe
!
interface Vlan3
description *** OUTSIDE ***
nameif OUT1
security-level 0
ip address 217.168.46.157 255.255.255.248
But still the same problem. The traceroute is good like it was before.
Traceroute to Internet over ISP1:
ciscoasa# traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
1 213.3.243.154 10 msec 10 msec 20 msec
2 213.3.246.110 10 msec 20 msec 20 msec
3 195.186.0.74 10 msec 20 msec 20 msec
4 195.186.0.74 10 msec 20 msec 20 msec
5 138.187.129.143 10 msec 10 msec 10 msec
6 138.187.130.108 10 msec 20 msec 20 msec
7 72.14.222.46 10 msec 20 msec 20 msec
8 72.14.232.120 20 msec
66.249.94.52 30 msec 20 msec
9 209.85.251.178 20 msec 30 msec
72.14.234.237 20 msec
10 209.85.254.112 20 msec
209.85.254.114 20 msec 20 msec
Traceroute to VPN Peer over ISP2:
ciscoasa# traceroute 217.192.12.162
Type escape sequence to abort.
Tracing the route to 217.192.12.162
1 * * *
2 217.168.52.245 10 msec 20 msec 10 msec
3 84.116.202.237 10 msec 30 msec 10 msec
4 84.116.134.22 10 msec 10 msec 20 msec
5 193.5.122.148 10 msec 10 msec 20 msec
6 138.187.129.54 10 msec 10 msec 20 msec
7 138.187.129.111 10 msec 20 msec 10 msec
8 138.187.132.172 10 msec 10 msec 20 msec
9 217.193.52.146 10 msec 10 msec 20 msec
But the VPn traffic still completely refuse to use the ISP2 as the Gateway.
06-25-2014 06:10 AM
Some more info's, if I manually shut down the Vlan2 then VPN takes the right path.
Best regards Patrick
06-25-2014 09:42 AM
Hi Patrick,
Manually shuting down VLAN2 is something like shutting the ISP1 link which goes via PPPoE.
Yeah. I suggest you to get the TAC case raised for this. Since i have the limited option to do LAB on this setup. I shall try to suggest some more testing meanwhile to sort this out.
Can you try this thing? Please remove the tunnel parameters and break the VPN connection and try doing trace without having VPN established between sites..... trace towards general internet IP as well as peer IP.
This shows some lite in this issue.
Regards
Karthik
HTH
Regards
Karthik
06-26-2014 03:23 AM
Guys, thanks for your great support.
I think it's a bug, and I'll go do a TAC Case.
Best Regards Patrick
07-07-2014 07:08 AM
Guys, it wasn't a bug. It's just something special.
The TAC Engineer did a great job and found the solution.
We just missed that little route in our config:
route OUT1 10.41.16.0 255.255.252.0 217.168.46.153 1 track 1
For some reason the VPN Traffic needs a dedicated route
The whole route entry's should look like this:
route OUT1 217.192.12.162 255.255.255.255 217.168.46.153 1 track 1
route OUT1 10.41.16.0 255.255.252.0 217.168.46.153 1 track 1
route OUT2 0.0.0.0 0.0.0.0 213.3.242.151 1 track 2
route OUT1 0.0.0.0 0.0.0.0 217.168.46.153 254
route OUT2 217.192.12.162 255.255.255.255 213.3.242.151 254
07-07-2014 11:15 PM
Hi Patrick,
Ohhh... even the encryption domain we need to add in a static route.... but its quite intresting why we need that.. Thanks for notifying this... Its a good learning for me as well....
Regards
Karthik
06-25-2014 06:14 AM
The issue, as you have noticed, is not with the order of how it appears in the config...the only crypto config that order matters in is the crypto maps.
This is a routing issue as the admin distance of the static route pointing out OUT2 is higher than the default route...why that is could very well be a bug or something we are overlooking. I have also set up this config in my lab and do not have this problem. The only exception is I did not have PPPOE setup.
--
Please remember to select a correct answer and rate helpful posts
06-25-2014 09:25 AM
Yeah agree with you marius... But its just a try with the available options.... Earlier post was showing incorrect admin distance due to typo error while modifying actual information on output..... In the recent post he clarified that it takes the admin distance of 1/0.... So that should not be the problem.....
sh route:
Gateway of last resort is 213.3.242.151 to network 0.0.0.0
C 172.30.140.0 255.255.255.0 is directly connected, INS1
S 217.192.12.162 255.255.255.255 [1/0] via 217.168.46.153, OUT2
C 217.168.46.152 255.255.255.248 is directly connected, OUT2
S* 0.0.0.0 0.0.0.0 [1/0] via 213.3.242.151, OUT1
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: