Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Terminate RA VPN clients on 2nd Intfc from different ISP?

Our ASA 5520 was used to terminate VPN clients only.  Today I terminated a 2nd ISP connection on another interface and made that the default interface on the firewall.

As soon as I did that, VPN connections no longer connected to the original interface, I'm assuming because the response packets are now exiting via the new default interface.    I had thought that the reverse-route command would take care of this issue but it doesn't apear to be doing the trick.

Is this dual-ISP configuration possible?  How to get the ASA to respond to VPN connection attempts on the non-default interface?

Thanks in advance for any suggestions!

5 REPLIES
Silver

Re: Terminate RA VPN clients on 2nd Intfc from different ISP?

Hello,

Hope  you must be doing good!

Well yes scenrio is possible, could you please attach the configuration and  i will suggest you the work around accordingly..

Thanks

Ankur

New Member

Re: Terminate RA VPN clients on 2nd Intfc from different ISP?

Thanks.

Hopefully the attached config gives enough information.   Interface Outside2 is the one I added and set as the default route.  It worked fine but the VPN client connections on Outside then stopped negotiating.  As you can see, I've set 'Outside' back to default for the time being and generic web traffic is using another firewall for the time being.

Cisco Employee

Re: Terminate RA VPN clients on 2nd Intfc from different ISP?

Hello,

Can you please try this command on the firewall:

route outside2 192.168.252.0 255.255.255.0

Hope this helps.

Regards,

NT

New Member

Re: Terminate RA VPN clients on 2nd Intfc from different ISP?

Thankyou for the suggestion.

I did add the route but I'm afraid we're failing during the initial ISAKMP negotiation before the 192.168.252.x address is even applied.  The firewall log simply shows 'duplicate Phase 1 packet detected' which probably means that ASA's  ISAKMP response is going out the new default interface (outside2) and the remote system is not accepting it.

'Outside' is the interface the VPN traffic comes in on and 'Outside2' is the new general route to the internet.  The config I sent you reflects my change back to the original route to allow VPN users to connect.  Sorry for the confusion.

Cisco Employee

Re: Terminate RA VPN clients on 2nd Intfc from different ISP?

Hello,

Also, you might want to remove the RRI configuration as that will install

host routes. And when the router looks up the host routes, the next hop will

be visible via the default route.

Regards,

NT

181
Views
0
Helpful
5
Replies
CreatePlease to create content