I think I lost my mind over this.
I have 2 ASA, one at a remote site- ASA5505 and one at our datacenter-ASA5520. The remote site has 2
internet connections, primary is T1 and backup is DSL. All I want to do is this: when the the T1 fails
the VPN tunnel between the Remote ASA and Datacenter ASA to move the tunnel to the DSL link.
What I thought I had to was on the Datacenter, create 2 tunnel groups and 2 new policies for the remote office
well nope its not working. I have a TAC case open for 6 weeks and even they dont know! arrrr! sorry now thats out.
Remote Site on DSL(220.127.116.11) -------------Datacenter (18.104.22.168) Cry Map Policy 170 -> ACL outside_cyptomap_170 -> peer 22.214.171.124 -> Remote Net 192.168.1.0/24arrrr! sorry now thats out.
Remote Site on T1 (126.96.36.199) (188.8.131.52) Cry Map Policy 160- > ACL outside_crytopmap_160 -> peer 184.108.40.206 -> Remote net 192.168.1.0/24
I think its because the network lists overlap, so how do get this to work. I cant be the only one who has config like this, or am I?
Which end are you attempting to initiate the tunnel from after the T1 goes down? Take a look here under Usage Guidlines, the paragraph which starts with "Configuring multiple peers". You should be able to set multiple peers in the datacenter ASA instead of creating two distinct tunnel-groups. What is taking care of the routing for the failover in remote ASA, are you using the Backup ISP option?
I want initiate the tunnel from the datacenter, when the T1 goes down. I'm using the backup isp option.
So I just read the link, very good thank you. Still stuck here. When T1 is up tunnel is good, when T1 is down nothing. What I get now is- %PIX|ASA-3-713042: IKE Initiator unable to find policy: Intf in the syslog messages?
Datacener is now:
crypto map vpn 160 match address outside_cryptomap_160
crypto map vpn 160 set connection-type originate-only
crypto map vpn 160 set peer t1peer dslpeer
crypto map vpn 160 set transform-set myset
crypto map outside_map 50 match address outside_50_cryptomap
crypto map outside_map 50 set connection-type answer-only
crypto map outside_map 50 set peer datacenter
crypto map outside_map 50 set transform-set myset
Any help would be nice.
i have tried with and with out.
Remote access or LAN-to-LAN sessions can drop for several reasons, such as: a security appliance shutdown or reboot, session idle timeout, maximum connection time exceeded, or administrator cut-off.
The security appliance can notify qualified peers (in LAN-to-LAN configurations), Cisco VPN Clients and VPN 3002 hardware clients of sessions that are about to be disconnected. The peer or client receiving the alert decodes the reason and displays it in the event log or in a pop-up panel. This feature is disabled by default.
Qualified clients and peers include the following:
?Security appliances with Alerts enabled.
?Cisco VPN clients running version 4.0 or later software (no configuration required).
?VPN 3002 hardware clients running version 4.0 or later software, and with Alerts enabled.
?VPN 3000 Series concentrators running version 4.0 or later software, with Alerts enabled.
To enable disconnect notification to IPSec peers, enter the isakmp disconnect-notify command.
tried it for kicks
Ah ok, I was trying to figure out how the peer would be notified that the tunnel was dropping when the connection (T1) would not be there to be able to alert the peer. Also, the peers would know becuase of Dead Peer Detection that the peer was no longer available.
Can TAC explain why the datacenter ASA is not attempting the backup peer?
If you take out the primary peer from the config and just use the backup peer, does this work?(with the t1 unplugged of course)
Tac has no idea :(
If you take out the primary peer from the config and just use the backup peer, does this work?(with the t1 unplugged of course)" I will have to try this.
Hi guys, do you have find any solutions ?
I have look at your config, doesn't it miss some static to allow outbound connection ?
I'm still working with cisco on this. They say 8.0.2 Code will fix this. But its has not worked for me.
Here is the bug.