Solved: Hi Sothengse, You can refer

Sotheng Se · ‎06-09-2014

Dear Supporter,

Could you help me to provide configuration for network diagram as in attached file.

I'm appropriate with your help.

thank you

Best Regards

nkarthikeyan · ‎06-10-2014

Hi Sothengse,

You can refer the below link and configure the ASA's @ Head end and Tailend accordingly to your requirement.

You need to tweak the given example configuration similar with both the ends.... dual ISP's @ both the ends in your scenario....

http://networkology.net/2013/03/08/site-to-site-vpn-with-dual-isp-for-backup-redundancy/

Hope this helps.

Regards

Karthik

View solution in original post

nkarthikeyan · ‎06-10-2014

Hi Sothengse,

You can refer the below link and configure the ASA's @ Head end and Tailend accordingly to your requirement.

You need to tweak the given example configuration similar with both the ends.... dual ISP's @ both the ends in your scenario....

http://networkology.net/2013/03/08/site-to-site-vpn-with-dual-isp-for-backup-redundancy/

Hope this helps.

Regards

Karthik

Sotheng Se · ‎06-12-2014

Dear Support,

The link that you provided me above is really really help me, now It's working. But still have a little bit issue. The issue is that when the primary link is down it takes so long time to switch to backup link maybe 30 to 35 second and have request time out 8 to 9 time on testing PC ( Ping on PC for testing ). Is it possible to force it switch faster between primary link and backup link to avoid many time out ?

very very appreciate with your help!!!

Best Regards

sotheng

nkarthikeyan · ‎06-12-2014

Hi Sotheng,

You can configure with IP SLA & Track in firewall to get this minimized.

Regards

Karthik

Sotheng Se · ‎06-12-2014

Dear Support,

I tried to change SLA & Track number many times, But It still the same as before. Would you please check my SLA configuration as in attached file and let me know whether what is wrong with it?

Thank you

Best Regards,

Sotheng

nkarthikeyan · ‎06-12-2014

Hi Sotheng,

What is the frequency value which you have set for SLA?

And also why you have given outside 1 in ASA1 sla configuration??? Have you made the primary route with outside1 interface and outside is a backup one or how it is?

Regards

Karthik

Sotheng Se · ‎06-13-2014

Dear nkarthikeyan,

Thank so much for your quickly respond.

Please kindly check both network diagram and config as in attached file and kindly let me know whether what is the issue?

thank you

Best Regards,

sotheng

nkarthikeyan · ‎06-13-2014

Hi Sotheng,

Could you make the timeout to default and have a check.

sla monitor 1
type echo protocol ipIcmpEcho 172.16.1.241 interface outside1

default timeout

and also try to tweak the no of packets & frequency a bit to minimize the drops. say no of packets to 2 and frequency as it is.

Also try with the below mentioned debug to find the fallback logs.

debug sla monitor trace—Displays progress of the echo operation.

The tracked object (primary ISP gateway) is up, and ICMP echos succeed.

IP SLA Monitor(123) Scheduler: Starting an operation
IP SLA Monitor(123) echo operation: Sending an echo operation
IP SLA Monitor(123) echo operation: RTT=3 OK
IP SLA Monitor(123) echo operation: RTT=3 OK
IP SLA Monitor(123) echo operation: RTT=4 OK
IP SLA Monitor(123) Scheduler: Updating result

The tracked object (primary ISP gateway) is down, and ICMP echos fail.

IP SLA Monitor(123) Scheduler: Starting an operation
IP SLA Monitor(123) echo operation: Sending an echo operation
IP SLA Monitor(123) echo operation: Timeout
IP SLA Monitor(123) echo operation: Timeout
IP SLA Monitor(123) echo operation: Timeout
IP SLA Monitor(123) Scheduler: Updating result

debug sla monitor error—Displays errors that the SLA monitor process encounters.

The tracked object (primary ISP gateway) is up, and ICMP succeeds.

%PIX-7-609001: Built local-host NP Identity Ifc:10.200.159.2
%PIX-7-609001: Built local-host outside:10.0.0.1
%PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr 
               10.200.159.2/52696 laddr 10.200.159.2/52696
%PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr 
               10.200.159.2/52696 laddr 10.200.159.2/52696
%PIX-7-609002: Teardown local-host NP Identity Ifc:10.200.159.2 duration 
               0:00:00
%PIX-7-609002: Teardown local-host outside:10.0.0.1 duration 0:00:00
%PIX-7-609001: Built local-host NP Identity Ifc:10.200.159.2
%PIX-7-609001: Built local-host outside:10.0.0.1
%PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr 
               0.200.159.2/52697 laddr 10.200.159.2/52697
%PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr 
               10.200.159.2/52697 laddr 10.200.159.2/52697
%PIX-7-609002: Teardown local-host NP Identity Ifc:10.200.159.2 
               duration 0:00:00
%PIX-7-609002: Teardown local-host outside:10.0.0.1 duration 0:00:00

The tracked object (primary ISP gateway) is down, and the tracked route is removed.

%PIX-7-609001: Built local-host NP Identity Ifc:10.200.159.2
%PIX-7-609001: Built local-host outside:10.0.0.1
%PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr 
               10.200.159.2/6405 laddr 10.200.159.2/6405
%PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr  
               10.200.159.2/6406 laddr 10.200.159.2/6406
%PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr  
               10.200.159.2/6407 laddr 10.200.159.2/6407
%PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr  
               10.200.159.2/6405 laddr 10.200.159.2/6405
%PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr  
               10.200.159.2/6406 laddr 10.200.159.2/6406
%PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr  
               10.200.159.2/6407 laddr 10.200.159.2/6407
%PIX-7-609002: Teardown local-host NP Identity Ifc:10.200.159.2 
               duration 0:00:02
%PIX-7-609002: Teardown local-host outside:10.0.0.1 duration 0:00:02
%PIX-6-622001: Removing tracked route 0.0.0.0 0.0.0.0 10.200.159.1,  
               distance 1, table Default-IP-Routing-Table, on interface 
               outside

!--- 10.0.0.1 is unreachable, so the route to the Primary ISP is removed.

Regards

Karthik

Sotheng Se · ‎06-13-2014

Dear nkarthikeyan,

I have followed your step above but It is still the same. when ISP1 down it takes 30 to 35 second to switch to ISP2. And I captured log when I shutdown interface for testing. please kindly check in attached file.

thank you!!!

Best Regards

sotheng

nkarthikeyan · ‎06-13-2014

I do not see any files attached with the recent post....

Regards

Karthik

Sotheng Se · ‎06-13-2014

Dear nkarthikeyan,

Oh, sorry.

Please kindly check again!!!!!

thank you

Best Regards,

sotheng

nkarthikeyan · ‎06-13-2014

Hi Sotheng,

Everything seems to be fine. But am not sure why it is taking so much delay. Here there are two thing one is the internet link & other one is the backup tunnel formation with ISP2 which might be taking time. But let me check if anything can be done as such.

Can you get me the complete configs of both the ASA's. So that i can test and confirm on the same in my lab.

Regards

Karthik

Sotheng Se · ‎06-13-2014

Dear nkarthikeyan,

Thank you so much for your quick respond. But It's customer's configs. Do you mind if you send me your email address?

I need your email address because I will send complete configs to you by email.

thank you

Best Regards,

sotheng

nkarthikeyan · ‎06-13-2014

hi sotheng,

Pls email me @ nkartheekeyan@hotmail.com

Regards

Karthik

Sotheng Se · ‎06-15-2014

Dear nkarthikeyan,

Please kindly find attached file in your hotmail.

Thank you

Regards,

sotheng

Redundancy VPN Site to Site using with dual ISP on cisco ASA