cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6395
Views
15
Helpful
16
Replies

ASA IPSec VPN with two active ISP

antonkupriyanov
Level 1
Level 1

Hi to ALL!

I have one question.

So, I have ASA with 9.2(1) SW connected to ISP with SLA enabled. 

I need to configure redundant IPSec VPN via ISP2, while all other traffic should pass through ISP1. In case if one of ISP goes down all traffic including VPN should be routed via alive ISP.

I have SLA configured and it works.

ciscoasa# show run route
route isp1 0.0.0.0 0.0.0.0 10.175.2.5 5 track 1
route isp2 0.0.0.0 0.0.0.0 10.175.3.5 10 track 2
route isp2 172.22.10.5 255.255.255.255 10.175.3.5 1 track 2

Here we can see if ISP1 and ISP2 are UP, all traffic is routed via ISP1, but traffic destined to IPSec remote peer 172.22.10.5 is routed via ISP2.

This configuration works just when isp1 or isp2 is down or if static route to host 172.22.10.5 removed. In case two ISPs are up ASA doesn't send any IPSec packets to remote side.

 

ciscoasa# show run nat
nat (inside,isp2) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp route-lookup
nat (inside,isp1) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp route-lookup

 

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map cm_vpnc 10 match address acl_vpn
crypto map cm_vpnc 10 set pfs
crypto map cm_vpnc 10 set peer 172.22.10.5
crypto map cm_vpnc 10 set ikev1 transform-set ESP-AES-256-SHA
crypto map cm_vpnc 10 set security-association lifetime seconds 86400
crypto map cm_vpnc interface isp1
crypto map cm_vpnc interface isp2
crypto ca trustpool policy
crypto ikev1 enable isp1
crypto ikev1 enable isp2
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

 

ciscoasa# show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 192.168.2.1     255.255.255.0   CONFIG
Vlan2                    isp1                   10.175.2.10     255.255.255.0   CONFIG
Vlan3                    isp2                   10.175.3.10     255.255.255.0   CONFIG

 

The main question why?

Thank you in advance,

Anton

 

 

 

 

 

1 Accepted Solution

Accepted Solutions

Hi anton , 

            If you check log message on your ASA R301-EST , it tries to build VPN tunnel with both IP address and it receives packets from asymmetrically from your remote  ciscoasa . 

   TO avoid this asymmetric connection , point your peer IP address as primary & secondary on your R301-EST

set peer 10.175.3.10 10.175.2.10

Remove track on your routing entries 

route isp2 172.22.10.5 255.255.255.255 10.175.3.5  

It should work for you . 

Similalry bring down your ISP 2  , you should see VPN tunnel is up with ISP1 one .

 

HTH

Sandy 

 

View solution in original post

16 Replies 16

Hi , 

 At Remote side what is VPN Peer Side is configured ?? It should be your ISP1 & ISP2 Interface IP address . How its configured like primary & secondary ?? 

 

HTH

Sandy

ISP2 is primary interface for VPN traffic, but at the same time ISP1 is primary for other traffic. Both of them are redundant for each other. 

Hi Sandy,

Here is remote side VPN configuration.

As I mentioned before, VPN work well via isp2 interface on ASA if isp1 is down or via isp1 interface if isp2 is down. If both interfaces are in UP nothing works. But I can ping remote gateway. 

R301-EST#show run | s crypto map

 

crypto map cp-ipsec 10 ipsec-isakmp
 set peer 10.175.3.10
 set peer 10.175.2.10
 set transform-set ESP-AES-256-SHA
 set pfs group2
 match address 100

R301-EST#show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                
unassigned      YES NVRAM  administratively down down
Ethernet0/1                192.168.10.1    YES NVRAM  up                    up
Ethernet0/2                172.22.10.5     YES NVRAM  up                    up
Ethernet0/3                unassigned      YES NVRAM  administratively down down
R301-EST#

Hi anton , 

            If you check log message on your ASA R301-EST , it tries to build VPN tunnel with both IP address and it receives packets from asymmetrically from your remote  ciscoasa . 

   TO avoid this asymmetric connection , point your peer IP address as primary & secondary on your R301-EST

set peer 10.175.3.10 10.175.2.10

Remove track on your routing entries 

route isp2 172.22.10.5 255.255.255.255 10.175.3.5  

It should work for you . 

Similalry bring down your ISP 2  , you should see VPN tunnel is up with ISP1 one .

 

HTH

Sandy 

 

Hi Sandy,

 

I have IOS router on remote side, so I did it this way

 

R301-EST#show run | s crypto map
crypto map cp-ipsec 10 ipsec-isakmp
 set peer 10.175.3.10 default
 set peer 10.175.2.10
 set transform-set ESP-AES-256-SHA
 set pfs group2
 match address 100

Seems it works now! Thank you very much! I'll drink a beer for your health. ;)

But how can track affect to VPN decisions on ASA? I'm tesing now, and it seems, it works also with tracking on routing entry.

 

Thank you very much!

Anton

 

 

Hi Anton , 

      Dont hurt your health with alcohol , 

track command along with route is primarly used to keep your routes in routing table based on the condition applied . over here if your ISP2 Fails route configured will be removed from your routing table . My apologies its good to have track command for your VPN destination , when ISP 2 link fails traffic will be sent via primary link 

If you look at below route for your VPN destination primary path is via your ISP2 due to default value , I havent noticed the default weightage . 

route isp2 172.22.10.5 255.255.255.255 10.175.3.5 1 track 2 

Your first correction is suffice for your requirement . 

 

HTH

Sandy 

 

Sandy,

 

after testing i realized that it doesn't work...

When ASA's routing table has two routes to remote host via different interfaces, ASA select wrong one, even correct one has longest mask... (( 

 

Gateway of last resort is 10.175.2.5 to network 0.0.0.0

S*    0.0.0.0 0.0.0.0 [5/0] via 10.175.2.5, isp1
C        10.175.2.0 255.255.255.0 is directly connected, isp1
L        10.175.2.10 255.255.255.255 is directly connected, isp1
C        10.175.3.0 255.255.255.0 is directly connected, isp2
L        10.175.3.10 255.255.255.255 is directly connected, isp2
S        172.22.10.5 255.255.255.255 [1/0] via 10.175.3.5, isp2
C        192.168.2.0 255.255.255.0 is directly connected, inside
L        192.168.2.1 255.255.255.255 is directly connected, inside

 

ciscoasa# Jun 17 14:27:57 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jun 17 14:27:57 [IKEv1]IP = 172.22.10.5, Attempting to establish a phase2 tunnel on isp1 interface but phase1 tunnel is on isp2 interface. Tearing down old phase1 tunnel due to a potential routing change.
Jun 17 14:27:57 [IKEv1]IP = 172.22.10.5, IKE Initiator: New Phase 1, Intf inside, IKE Peer 172.22.10.5  local Proxy Address 192.168.2.0, remote Proxy Address 192.168.10.0,  Crypto map (cm_vpnc)
Jun 17 14:27:57 [IKEv1 DEBUG]Group = 172.22.10.5, IP = 172.22.10.5, IKE SA MM:82e925f4 rcv'd Terminate: state MM_ACTIVE  flags 0x0020c062, refcnt 1, tuncnt 1
Jun 17 14:27:57 [IKEv1 DEBUG]IP = 172.22.10.5, constructing ISAKMP SA payload
Jun 17 14:27:57 [IKEv1 DEBUG]IP = 172.22.10.5, constructing NAT-Traversal VID ver 02 payload
Jun 17 14:27:57 [IKEv1 DEBUG]IP = 172.22.10.5, constructing NAT-Traversal VID ver 03 payload
Jun 17 14:27:57 [IKEv1 DEBUG]IP = 172.22.10.5, constructing NAT-Traversal VID ver RFC payload
Jun 17 14:27:57 [IKEv1 DEBUG]IP = 172.22.10.5, constructing Fragmentation VID + extended capabilities payload
Jun 17 14:27:57 [IKEv1]IP = 172.22.10.5, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Jun 17 14:27:57 [IKEv1 DEBUG]Group = 172.22.10.5, IP = 172.22.10.5, sending delete/delete with reason message
Jun 17 14:27:57 [IKEv1 DEBUG]Group = 172.22.10.5, IP = 172.22.10.5, constructing blank hash payload
Jun 17 14:27:57 [IKEv1 DEBUG]Group = 172.22.10.5, IP = 172.22.10.5, constructing IPSec delete payload
Jun 17 14:27:57 [IKEv1 DEBUG]Group = 172.22.10.5, IP = 172.22.10.5, constructing qm hash payload
Jun 17 14:27:57 [IKEv1]IP = 172.22.10.5, IKE_DECODE SENDING Message (msgid=1a93de65) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Jun 17 14:27:57 [IKEv1 DEBUG]Group = 172.22.10.5, IP = 172.22.10.5, Active unit receives a delete event for remote peer 172.22.10.5.

Jun 17 14:27:57 [IKEv1 DEBUG]Group = 172.22.10.5, IP = 172.22.10.5, IKE Deleting SA: Remote Proxy 192.168.10.0, Local Proxy 192.168.2.0
Jun 17 14:27:57 [IKEv1 DEBUG]Group = 172.22.10.5, IP = 172.22.10.5, IKE SA MM:82e925f4 terminating:  flags 0x0120c022, refcnt 0, tuncnt 0
Jun 17 14:27:57 [IKEv1 DEBUG]Group = 172.22.10.5, IP = 172.22.10.5, sending delete/delete with reason message
Jun 17 14:27:57 [IKEv1 DEBUG]Group = 172.22.10.5, IP = 172.22.10.5, constructing blank hash payload
Jun 17 14:27:57 [IKEv1 DEBUG]Group = 172.22.10.5, IP = 172.22.10.5, constructing IKE delete payload
Jun 17 14:27:57 [IKEv1 DEBUG]Group = 172.22.10.5, IP = 172.22.10.5, constructing qm hash payload
Jun 17 14:27:57 [IKEv1]IP = 172.22.10.5, IKE_DECODE SENDING Message (msgid=2562153d) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jun 17 14:27:57 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x13a220f0
Jun 17 14:27:57 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x13a220f0
Jun 17 14:27:57 [IKEv1]Group = 172.22.10.5, IP = 172.22.10.5, Session is being torn down. Reason: Unknown
Jun 17 14:27:57 [IKEv1]Ignoring msg to mark SA with dsID 8192 dead because SA deleted
Jun 17 14:27:57 [IKEv1]IKE Receiver: Packet received on 10.175.3.10:500 from 172.22.10.5:500
Jun 17 14:27:57 [IKEv1]IP = 172.22.10.5, Received encrypted packet with no matching SA, dropping

 

Dear Anton ,

     What is the scenario you are testing now ?? . Kindly help me with details .  Now your VPN tunnel is not working ??

 

Sandy,

I'm still testing the same scenario...

1. ASA has two outside interfaces isp1 and isp2. Both of them are UP.  isp1 is used as primary interface for all traffic from LAN and isp2 is used just for IPSec VPN to remote site.

2. If any of these interfaces goes down, another one takes it functions and forwards all traffic (traffic from LAN and VPN).

What i have now.. 

The problem occurs when both interfaces are UP and routing table has two routes to remote site. Default route via isp1 and static route via isp2.


S*    0.0.0.0 0.0.0.0 [5/0] via 10.175.2.5, isp1
C        10.175.2.0 255.255.255.0 is directly connected, isp1
L        10.175.2.10 255.255.255.255 is directly connected, isp1
C        10.175.3.0 255.255.255.0 is directly connected, isp2
L        10.175.3.10 255.255.255.255 is directly connected, isp2
S        172.22.10.5 255.255.255.255 [1/0] via 10.175.3.5, isp2
C        192.168.2.0 255.255.255.0 is directly connected, inside
L        192.168.2.1 255.255.255.255 is directly connected, inside

In this case ASA doesn't even try to establish VPN connection. 

If i remove route to 172.22.10.5, VPN will be established via isp1 immediately. Also if i remove default route  VPN will be established via isp2. If both routes present in routing table ASA just doesn't even try, as i said.

 

When VPN is established and i bring up second interface VPN drops down. (here VPN was established through isp2 (isp1 was down) and after no shutdown i got this these debug messages )

 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jun 17 14:27:57 [IKEv1]IP = 172.22.10.5, Attempting to establish a phase2 tunnel on isp1 interface but phase1 tunnel is on isp2 interface. Tearing down old phase1 tunnel due to a potential routing change.
Jun 17 14:27:57 [IKEv1]IP = 172.22.10.5, IKE Initiator: New Phase 1, Intf inside, IKE Peer 172.22.10.5  local Proxy Address 192.168.2.0, remote Proxy Address 192.168.10.0,  Crypto map (cm_vpnc)

 

ASA stuck in 

1   IKE Peer: 172.22.10.5
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2

 

Remote router doesn't receive no one packet from ASA.

 

I even removed backup peer on remote site for testing purposes... 

I have two nat and ikev1 tied to both interfaces. But it won't work even if I remove all isp1 related stuff... 

 

ciscoasa# show run nat
nat (inside,isp2) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp route-lookup
nat (inside,isp1) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp route-lookup

ciscoasa# show run | i ikev1 enable
crypto ikev1 enable isp1
crypto ikev1 enable isp2

 

So, it works if routing table has just one route to remote router. And I can't understand why longest-mask rule doesn't work.. Why ASA can't select outgoing interface... 

I'm already thinking about SW upgrade... (

Thank you for your help Sandy!

 

 

 

 

Hi Anton , 

          Wondering how its trying to build Phase 2 tunnel with interface ISP 1 . All traffic should be via ISP 2  interface .  What is your asa code ??

Share me your ASA config and router config 

Jun 17 14:27:57 [IKEv1]IP = 172.22.10.5, Attempting to establish a phase2 tunnel on isp1 interface but phase1 tunnel is on isp2 interface. Tearing down old phase1 tunnel due to a potential routing change.

 

 

Sandy,

configs are attached.

currently testing on 5505, then will conigure 5512, which is in production.

I've already tried to upgrade/downgrade ASA, but without success... 

Anton

 

Hi Anton ,

                  Modify your IP SLA destination IP address towards Gateway IP address like 10.175.2.5 for ISP1 & 10.175.3.5 for ISP 2  . 

  By doing this Active route will be populated in routing table . Inactive route will be made disappeared from routing table . 

 type echo protocol ipIcmpEcho 10.175.1.21 interface isp1


 
 type echo protocol ipIcmpEcho 10.175.1.22 interface isp2

Sandy,

i did it for curiosity, but SLA has been working before.. There were no problems with SLA...

isp1 UP, isp2 UP

S    172.22.10.5 255.255.255.255 [1/0] via 10.175.3.5, isp2
C    10.175.3.0 255.255.255.0 is directly connected, isp2
C    10.175.2.0 255.255.255.0 is directly connected, isp1
C    192.168.2.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [5/0] via 10.175.2.5, isp1

isp1 DOWN, isp2 UP

S    172.22.10.5 255.255.255.255 [1/0] via 10.175.3.5, isp2
C    10.175.3.0 255.255.255.0 is directly connected, isp2
C    192.168.2.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [10/0] via 10.175.3.5, isp2

isp1 UP, isp2 DOWN

C    10.175.2.0 255.255.255.0 is directly connected, isp1
C    192.168.2.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [5/0] via 10.175.2.5, isp1

 

 

ciscoasa# show run sla monitor
sla monitor 1
 type echo protocol ipIcmpEcho 10.175.2.5 interface isp1
 timeout 1000
 threshold 2000
 frequency 3
sla monitor schedule 1 life forever start-time now
sla monitor 2
 type echo protocol ipIcmpEcho 10.175.3.5 interface isp2
 timeout 1000
 threshold 2000
 frequency 3
sla monitor schedule 2 life forever start-time now
ciscoasa#

 

Hi Anton ,

   Answer is here for you , Problem is due to RRI 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107596-asa-reverseroute.html

enable this . 

crypto map cm_vpnc 10 set reverse-route

Awaiting for your result response 

HTH

Sandy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: