Site A Remote Office - LAN 188.8.131.52. /24, - Interface connected to ISP connection 1 (main) - 184.108.40.206 - Interface connectd to ISP connect 2 (backup) - 220.127.116.11
Site B Main Office - LAN 18.104.22.168 /24 - Interface connected to ISP connection 1 (main) - 22.214.171.124 - Interface connected to ISP connection 2(backup) - 126.96.36.199
What I want to have happen is that there are 2 VPN tunnels. Between Remote and Main Office- Tunnel 1 188.8.131.52 to 184.108.40.206 and Tunnel 2 220.127.116.11 to 18.104.22.168
I have set up the tunnels and can get the first tunnel up each time. Traffic flows freely each time to and from sites with no issue.
If I disconnect the main connection to the ISP at Remote office , so the ASA diverts all outgoing traffic from the main connection to the backup connection then it brings up the 2nd tunnel
People at the remote site can VPN into the main site with no issue at all. The ASA there knows that all traffic for the main office will go through the backup interface as the main interface is down.
If people at the main office try to access the remote office then they do not have any success! This is beacuse the ASA at the main office still trys to route out via its usual (main) ISP connection, and fails!
How can I get this so there is two way traffic!
Setting the tunnels at one site to answer only does not seem to solve the problem, as it then still expects to establish the tunnel from the outside!
Summary of config:-
Extract from main office
access-list outside_60_cryptomap extended permit ip Main_Office 255.255.255.0 Remote_LAN 255.255.255.0 access-list backup_40_cryptomap extended permit ip Main_Office 255.255.255.0 Remote_LAN 255.255.255.0
In the summary, you have mentioned the public IP addresses on main and back up interfaces are 22.214.171.124 and 126.96.36.199 ; 188.8.131.52 and 184.108.40.206 for ASAs on site 1 and Site 2 resp. But in the confgiuration i see none of the ip address as the remote peer. Can you please zip the complete running configuration from both the ASAs and post it here for review?
A couple of questions I have looking at your post:-
i. Do I need to delete the exising details re peers via CLI first or by entering the command crypto map outside_map 1 set peer 220.127.116.11 18.104.22.168 will this overwrite the existing details. Or do I need to delte them in the CLI first and then reenter them
ii. Can I have more than two maps on the same interface - or should I add the details to the maps already defined.
iii. I thought that you had define direction when setting peers under ASA 5510? As in the exmaple:-
Ok - did not work. But I have an issue with my config that I need to get looked at first!
The issue is this
On the backup interface
Remote office - If I set up tunnel to origniate and Main) office to recieve then tunnel comes up - traffic passes from Remote to Main via it fine but not other way ?!
If I reverse so at Main office change to orignate and Remote office to recive then the tunnel does not come up and traffice will not go the pass. Looking at the Remote log it has "no matching crytpo map entry".
Group = 22.214.171.124, IP = 126.96.36.199, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.28.2/255.255.255.255/0/0 local proxy 188.8.131.52/255.255.255.255/0/0 on interface backup
I tried to put the redundant peers into the config as suggested. It tries the primary tunnel as suggested.
however, if the primary link goes down, it does not try the next one on the list! It is as if it is not aware that the VPN has gone down! YOu can see it in diag's trying to reconnect on the primary VPN.
What I want is if the main connection disconnects it tries the next one on the list - but routes the VPN out via the backup interface.
Configs as requested. I changed ip addresses in example above to ensure that I did not relase full details of my config on the web.
Please note that I have therefore used different ip addreses this time!
Main office ip internet addresses 184.108.40.206 & 220.127.116.11 - (backup goes via another router 192.168.30.1 - see static routing)
Remote office ip unternet addresses 18.104.22.168.6 & 22.214.171.124 (backup goes via another router 192.168.88.1 - see static routing)
I think the problem is with your route tracking setup. From the remote track the outside IP of the main. From the main track the outside IP of the remote. If the path fails install routes between sites via the backup interface.
My crypto config is basically the same. This is my sla monitor and routing config is below (verified working). Both firewalls are running 8.2(1).
! firewall-1 ! outside ip: 172.24.219.1
sla monitor 10 type echo protocol ipIcmpEcho 172.24.219.98 interface outside timeout 1000 frequency 3 sla monitor schedule 10 life forever start-time now
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...