Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Redundancy VPN Site to Site using with dual ISP on cisco ASA

 

Dear Supporter,

Could you help me to provide configuration for network diagram as in attached file.

 

I'm appropriate with your help.

 

thank you

 

Best Regards

 


 

  • VPN
1 ACCEPTED SOLUTION

Accepted Solutions

Hi Sothengse, You can refer

Hi Sothengse,

 

You can refer the below link and configure the ASA's @ Head end and Tailend accordingly to your requirement.

You need to tweak the given example configuration similar with both the ends.... dual ISP's @ both the ends in your scenario....

 

http://networkology.net/2013/03/08/site-to-site-vpn-with-dual-isp-for-backup-redundancy/

Hope this helps.

 

Regards

Karthik

25 REPLIES

Hi Sothengse, You can refer

Hi Sothengse,

 

You can refer the below link and configure the ASA's @ Head end and Tailend accordingly to your requirement.

You need to tweak the given example configuration similar with both the ends.... dual ISP's @ both the ends in your scenario....

 

http://networkology.net/2013/03/08/site-to-site-vpn-with-dual-isp-for-backup-redundancy/

Hope this helps.

 

Regards

Karthik

New Member

 Dear Support,The link that

 

Dear Support,

The link that you provided me above is really really help me, now It's working. But still have a little bit issue. The issue is that when the primary link is down it takes so long time to switch to backup link maybe 30 to 35 second and have request time out 8 to 9 time on testing PC ( Ping on PC for testing ). Is it possible to force it switch faster between primary link and backup link to avoid many time out ?

 

very very appreciate with your help!!!

Best Regards

sotheng

Hi Sotheng,You can configure

Hi Sotheng,

You can configure with IP SLA & Track in firewall to get this minimized.

 

Regards

Karthik

New Member

 Dear Support,I tried to

 

Dear Support,

I tried to change SLA & Track number many times, But It still the same as before. Would you please check my SLA configuration as in attached file and let me know whether what is wrong with it?

Thank you

Best Regards,

Sotheng

Hi Sotheng, What is the

Hi Sotheng,

 

What is the frequency value which you have set for SLA?

And also why you have given outside 1 in ASA1 sla configuration??? Have you made the primary route with outside1 interface and outside is a backup one or how it is?

 

Regards

Karthik

New Member

Dear nkarthikeyan,Thank so

Dear nkarthikeyan,

Thank so much for your quickly respond.

Please kindly check both network diagram and config as in attached file and kindly let me know whether what is the issue?

 

thank you

Best Regards,

sotheng

Hi Sotheng,

Hi Sotheng,

 

Could you make the timeout to default and have a check.

 

sla monitor 1
 type echo protocol ipIcmpEcho 172.16.1.241 interface outside1

default timeout

and also try to tweak the no of packets & frequency a bit to minimize the drops. say no of packets to 2 and frequency as it is.

 

Also try with the below mentioned debug to find the fallback logs.

 

  • debug sla monitor trace—Displays progress of the echo operation.

    • The tracked object (primary ISP gateway) is up, and ICMP echos succeed.

      IP SLA Monitor(123) Scheduler: Starting an operation
      IP SLA Monitor(123) echo operation: Sending an echo operation
      IP SLA Monitor(123) echo operation: RTT=3 OK
      IP SLA Monitor(123) echo operation: RTT=3 OK
      IP SLA Monitor(123) echo operation: RTT=4 OK
      IP SLA Monitor(123) Scheduler: Updating result
    • The tracked object (primary ISP gateway) is down, and ICMP echos fail.

      IP SLA Monitor(123) Scheduler: Starting an operation
      IP SLA Monitor(123) echo operation: Sending an echo operation
      IP SLA Monitor(123) echo operation: Timeout
      IP SLA Monitor(123) echo operation: Timeout
      IP SLA Monitor(123) echo operation: Timeout
      IP SLA Monitor(123) Scheduler: Updating result
  • debug sla monitor error—Displays errors that the SLA monitor process encounters.

    • The tracked object (primary ISP gateway) is up, and ICMP succeeds.

      %PIX-7-609001: Built local-host NP Identity Ifc:10.200.159.2
      %PIX-7-609001: Built local-host outside:10.0.0.1
      %PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr 
                     10.200.159.2/52696 laddr 10.200.159.2/52696
      %PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr 
                     10.200.159.2/52696 laddr 10.200.159.2/52696
      %PIX-7-609002: Teardown local-host NP Identity Ifc:10.200.159.2 duration 
                     0:00:00
      %PIX-7-609002: Teardown local-host outside:10.0.0.1 duration 0:00:00
      %PIX-7-609001: Built local-host NP Identity Ifc:10.200.159.2
      %PIX-7-609001: Built local-host outside:10.0.0.1
      %PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr 
                     0.200.159.2/52697 laddr 10.200.159.2/52697
      %PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr 
                     10.200.159.2/52697 laddr 10.200.159.2/52697
      %PIX-7-609002: Teardown local-host NP Identity Ifc:10.200.159.2 
                     duration 0:00:00
      %PIX-7-609002: Teardown local-host outside:10.0.0.1 duration 0:00:00
    • The tracked object (primary ISP gateway) is down, and the tracked route is removed.

      %PIX-7-609001: Built local-host NP Identity Ifc:10.200.159.2
      %PIX-7-609001: Built local-host outside:10.0.0.1
      %PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr 
                     10.200.159.2/6405 laddr 10.200.159.2/6405
      %PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr  
                     10.200.159.2/6406 laddr 10.200.159.2/6406
      %PIX-6-302020: Built ICMP connection for faddr 10.0.0.1/0 gaddr  
                     10.200.159.2/6407 laddr 10.200.159.2/6407
      %PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr  
                     10.200.159.2/6405 laddr 10.200.159.2/6405
      %PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr  
                     10.200.159.2/6406 laddr 10.200.159.2/6406
      %PIX-6-302021: Teardown ICMP connection for faddr 10.0.0.1/0 gaddr  
                     10.200.159.2/6407 laddr 10.200.159.2/6407
      %PIX-7-609002: Teardown local-host NP Identity Ifc:10.200.159.2 
                     duration 0:00:02
      %PIX-7-609002: Teardown local-host outside:10.0.0.1 duration 0:00:02
      %PIX-6-622001: Removing tracked route 0.0.0.0 0.0.0.0 10.200.159.1,  
                     distance 1, table Default-IP-Routing-Table, on interface 
                     outside
      
      !--- 10.0.0.1 is unreachable, so the route to the Primary ISP is removed.
      
      

      Regards

    • Karthik

 

New Member

 Dear nkarthikeyan,I have

 

Dear nkarthikeyan,

I have followed your step above but It is still the same. when ISP1 down it takes 30 to 35 second to switch to ISP2. And I captured log when I shutdown interface for testing. please kindly check in attached file.

thank you!!!

Best Regards

sotheng

 

I do not see any files

I do not see any files attached with the recent post....

 

Regards

Karthik

1605
Views
5
Helpful
25
Replies