Solved: ISP Failover - Internet Access to ISP1 and VPN Traffic to ISP2

Patrick Werner · ‎06-20-2014

Hi

Community.

I've successfully setup ISP Failover. Now all the traffic (internet and VPN) goes over ISP1 and if the connection fails to ISP1 it goes to ISP2.

But I like to have a different setup. All the internet traffic should go to ISP1 and all the VPN traffic should go to ISP2, but with Failover functionality.

That means. If ISP1 fails the internet traffic goes to ISP2. And if ISP2 fails the VPN Traffic goes to ISP1.

Is that possible ?

Best Regards patrick

Marius Gunnerud · ‎06-20-2014

Are we talking S2S VPN or RA VPN?

Also, why would you want to the VPN over to ISP1 if ISP1 has failed?

But to answer your question...if it is an S2S VPN this is possible. If it is an RA VPN this is not possible because you would need the use of a default route to be able to access the remote IPs. But for site to site you can set a static route pointing out ISP2.

Now you would need two default routes and two static routes for the S2S VPN connection, the primary route would need a lower administrative distance than the secondary route. Then you would configure an IP SLA tracking, one for the default route and one for the S2S VPN static route. You would then assign the tracking to the route that you want active, once the tracking returns an unreachable or down response, that route will be removed from the routing table and the backup route will be installed in the routing table.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎06-20-2014

Are we talking S2S VPN or RA VPN?

Also, why would you want to the VPN over to ISP1 if ISP1 has failed?

But to answer your question...if it is an S2S VPN this is possible. If it is an RA VPN this is not possible because you would need the use of a default route to be able to access the remote IPs. But for site to site you can set a static route pointing out ISP2.

Now you would need two default routes and two static routes for the S2S VPN connection, the primary route would need a lower administrative distance than the secondary route. Then you would configure an IP SLA tracking, one for the default route and one for the S2S VPN static route. You would then assign the tracking to the route that you want active, once the tracking returns an unreachable or down response, that route will be removed from the routing table and the backup route will be installed in the routing table.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Patrick Werner · ‎06-24-2014

Hi Marius.

Yes i need it for S2S VPN. I did the config as you mentioned. But I hadn't luck.

See the config of my SLA and Routing:

----------------------------------------------------------------------------------------

route OUT1 0.0.0.0 0.0.0.0 212.12.12.12 1 track 1
route OUT1 33.33.33.33 255.255.255.255 212.12.12.12 254

route OUT2 33.33.33.33 255.255.255.255 211.11.11.9 1 track 2
route OUT2 0.0.0.0 0.0.0.0 211.11.11.9 254

sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface OUT1
num-packets 3
frequency 15
sla monitor schedule 1 life forever start-time now

sla monitor 2
type echo protocol ipIcmpEcho 8.8.8.8 interface OUT2
num-packets 3
frequency 10
sla monitor schedule 2 life forever start-time now

----------------------------------------------------------------------------------------

33.33.33.33 is the VPN Peer at the other end. 212.12.12.12 is the primary default route for Internet access and 211.11.11.9 is the primary default route for the VPN.

Did I something wrong ?

Hope you can help and best regards Patrick

Marius Gunnerud · ‎06-24-2014

You need to assign the SLA to a track ID

track 1 rtr 1 reachability

track 2 rtr 2 reachability

The format is:

track <track number> rtr <SLA number> reachability

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Patrick Werner · ‎06-24-2014

I did that but forgot to post these 2 lines here. Is the rest of the config okay.

Marius Gunnerud · ‎06-24-2014

The reason this isn't working is because you are tracking 8.8.8.8 on interface OUT2 which is your secondary interface...your default route does not point out that interface. I suggest you track an IP that you can configure a static route for which points out interface OUT2 and then test.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Patrick Werner · ‎06-24-2014

Hi Guys that was it. The routingis working now. I did as you metioned:

---------------------------------------------------------------------------------

sla monitor 1
type echo protocol ipIcmpEcho 212.12.12.12 interface OUT1
num-packets 3
frequency 15
sla monitor schedule 1 life forever start-time now

sla monitor 2
type echo protocol ipIcmpEcho 211.11.11.9 interface OUT2
num-packets 3
frequency 10
sla monitor schedule 2 life forever start-time now

-----------------------------------------------------------------------------------

The traceroute shows me now that the address 33.33.33.33 goes out the interface OUT2. But the VPn traffic still uses interface OUT1.

My crypto config:

------------------------------------------------------------------------------------

access-list ALC_VPN extended permit ip object OBJ_INS1_NET_192_168_1 object 10.41.16.0_22

nat (INS1,OUT1) source static OBJ_INS1_NET_192_168_1 OBJ_INS1_NET_192_168_1 destination static 10.41.16.0_22 10.41.16.0_22 no-proxy-arp route-lookup
nat (INS1,OUT2) source static OBJ_INS1_NET_192_168_1 OBJ_INS1_NET_192_168_1 destination static 10.41.16.0_22 10.41.16.0_22 no-proxy-arp route-lookup

crypto map OUT1_MAP 100 match address ALC_VPN
crypto map OUT1_MAP 100 set pfs
crypto map OUT1_MAP 100 set peer 33.33.33.33
crypto map OUT1_MAP 100 set ikev1 transform-set ESP-3DES-SHA
crypto map OUT1_MAP interface OUT1
crypto map OUT1_MAP interface OUT2

crypto ikev1 enable OUT1
crypto ikev1 enable OUT2
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 33.33.33.33 type ipsec-l2l
tunnel-group 33.33.33.33 ipsec-attributes
ikev1 pre-shared-key *****

-------------------------------------------------------------------------------------

Hope you guys still like to help me :-)

Best regards Patrick

Marius Gunnerud · ‎06-24-2014

The tunnel was most likely already established when you made these changes, you would need to tear down and and re-establish the VPN for it to point out the correct interface.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Patrick Werner · ‎06-24-2014

I did "clear crypto isakmp sa" and reopened the tunnel. But still the same, VPN doesn't go out the Interface OUT2. But if i disconnectthe cable from OUT1, the VPN Tunnel goes out the Tunnel OUT2.

nkarthikeyan · ‎06-24-2014

if you put the cable back it comes back thru ispl1 ?

you can try one thing.

no crypto map OUT1_MAP interface OUT1
crypto map OUT1_MAP interface OUT2

crypto map OUT1_MAP interface OUT1

no crypto ikev1 enable OUT1
crypto ikev1 enable OUT2

crypto ikev1 enable OUT1

Also on the other end ask them to point out2 interface IP as priority one and out1 as the backup one.

Hope this solves the issue then

HTH

Regards

Karthik

Patrick Werner · ‎06-24-2014

Hi Karthik.

I tried that, but still the same.

This is the config of the other end.

crypto map outside_map 7 match address outside_cryptomap_7
crypto map outside_map 7 set pfs
crypto map outside_map 7 set peer 211.11.11.11 212.12.12.14
crypto map outside_map 7 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 7 set reverse-route

tunnel-group 212.12.12.14 type ipsec-l2l
tunnel-group 212.12.12.14 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 211.11.11.11 type ipsec-l2l
tunnel-group 211.11.11.11 ipsec-attributes
ikev1 pre-shared-key *****

nkarthikeyan · ‎06-24-2014

Hi Patrick,

Can you make like this for the crypto command.

crypto map outside_map 7 set peer 212.12.12.14 211.11.11.11

All we need to do is on the both the sides wherever you can prioritize ISP2 we have to do it and try.

Regards

Karthik

Patrick Werner · ‎06-24-2014

Hi Karthik.

The primary should be a the first postion, i did that too.

But still the same.

Strange.

Regards patrick

Marius Gunnerud · ‎06-24-2014

Double check your static route for the remote peer. Make sure there isn't a typo. if it is correct issue the command show route and make sure that the peer route entry has the correct next hop. If you remove the route pointing out OUT1 does the issue still persist?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Patrick Werner · ‎06-24-2014

If i remove the route pointing out OUT1, the VPN traffic takes the right path.

If i set the route again, the VPN traffic takes to wrong path.

show route:

Gateway of last resort is 212.12.12.12 to network 0.0.0.0

C    172.30.140.0 255.255.255.0 is directly connected, INS1
S    33.33.33.33 255.255.255.255 [2/0] via 212.12.12.12, OUT2
C    212.12.12.14 255.255.255.248 is directly connected, OUT2
S*   0.0.0.0 0.0.0.0 [1/0] via 212.12.12.12, OUT1

The Interface of OUT1 is a interface with PPPOE DSL configuration and the interface of OUT2 is a ethernet interface.

Here the config:

interface Vlan2
description *** BACKUP ***
nameif OUT1
security-level 0
pppoe client vpdn group pppoex
ip address pppoe
!
interface Vlan3
description *** OUTSIDE ***
nameif OUT2
security-level 0
ip address 211.11.11.11 255.255.255.248

Is the PPPOE Interface the problem ?