I'm having some problems with Cisco 870 routers connected to Cisco ASA 5550 firewalls via the internet and IPSEC L2L VPN's. The 870 router establishes a tunnel to the default peer without a problem. The crypto map has 4 entries so depending on the traffic being sent through the 870 router there can be up to 4 SPI's using that tunnel
The problem is as follows:
As the underlying connectivity is via the Internet, every now and then we see that the router establishes a tunnel to the backup peer (18.104.22.168). When this happens I end up with two active tunnels, with at least one SPI still active on the default tunnel peer. The problem I have is that on the other end of these tunnels, when the VPN is created to the backup peer it uses RRI to advertise the 870's LAN into our core network. Traffic from the Core will be routed via the backup VPN, but traffic from the 870 can still use the default VPN to send traffic. Asymmetric traffic then breaks connectivity for the site.
So the problem I see is that the 870 router (using DPD) should only ever have one tunnel up, if it detects a problem with that one it should tear it down and establish a tunnel to the backup peer. Traffic would then by symmetric.
Does anyone have any ideas? Any clues why both tunnels stay up?
Thanks for the reply. I don't think that applies here, each client only has a single Internet connection so there is no routing changes required. The redundancy we're looking for is on the ASA firewall endpoint, by having the default peer and then a 2nd peer if that is unavailable. DPD should detect if the default peer is unavailable, tear down the tunnel and then establish to the 2nd peer. We are not seeing the tearing down take place.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...