Dual WAN connections

I have two sites A and B. These sites are connected through MPLS and site to site vpn with one dynamic and one static IP. I am using static routes and IP SLA to track the default route. I have the MPLS link as the prefered route when both link are up. When the MPLS comes up first, the traffic is routed through the MPLS link. When the MPLS link fails, the traffic is routed through VPN, so far so good. However, when I bring the MPLS link up, the traffic stays on the VPN link. I checked the routing table and it s showing that the MPLS link is the prefered path. When I clear the SA association, the traffic switches to MPLS and stays on the MPLS.
I am trying to figure out why the traffic doesnt switch to the MPLS when the link comes up since the routing table shows the MPLS as the prefered route.

Thanks

Find more posts tagged with

Comments

keenon

what routing protocol are you using? how is your ip sla tuned, are tracking a route or pinging an ip address, etc?

fid500

Keenon
Thanks for your response

I have OSPF running inside and static routes on both firewalls. As of IP SLA tracking, I am pinging two IP addresses. When I check the routing table, it's has the correct route, just the traffic stays on the vpn tunnel. I dont want to run a routing protocol and prefer to keep it to static routes. I could write a TCL script to terminate the SA association, but the ASAs dont support TCL I believe.

Forsaken_GA

clarify something - is the tracking and routing being done on the ASA's, or on an IOS router?

fid500

here are the configs and diagram. The IP SLA tracking is done on the ASAs

hostname Central
domain-name Central

names
name 10.213.1.0 Remote
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.51 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.81.1.1 255.255.255.0
!
interface Ethernet2
nameif mpls
security-level 50
ip address 172.16.1.1 255.255.255.0

access-list inside_access_in extended permit ip 10.81.1.0 255.255.255.0 any
access-list mpls_access_in extended permit ip Remote 255.255.255.0 10.81.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.81.1.0 255.255.255.0 Remote 255.255.255.0
access-list outside_cryptomap_65535.1 extended permit ip 10.81.1.0 255.255.255.0 Remote 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 Remote 255.255.255.0
access-group inside_access_in in interface inside
access-group mpls_access_in in interface mpls
route mpls Remote 255.255.255.0 172.16.1.2 1 track 124
route outside Remote 255.255.255.0 192.168.1.52 200 track 125
route outside 0.0.0.0 0.0.0.0 192.168.1.52 1
route mpls 172.17.1.0 255.255.255.0 172.16.1.2 1
timeout xlate 3:00:00

timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy

sla monitor 2
type echo protocol ipIcmpEcho 172.17.1.1 interface mpls
num-packets 3
frequency 10
sla monitor schedule 2 life forever start-time now
sla monitor 3
type echo protocol ipIcmpEcho 172.18.1.2 interface outside
num-packets 3
frequency 10
sla monitor schedule 3 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_65535.1
crypto dynamic-map outside_dyn_map 1 set pfs
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 124 rtr 2 reachability
!
track 125 rtr 3 reachability

tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *

hostname Remote
name 10.81.1.0 Central

interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.50 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.213.1.1 255.255.255.0
!
interface Ethernet2
nameif mpls
security-level 50
ip address 172.17.1.1 255.255.255.0
!
interface Ethernet3
nameif satelite
security-level 30
ip address 172.18.1.1 255.255.255.0

access-list inside_access_in extended permit ip 10.213.1.0 255.255.255.0 any
access-list mpls_access_in extended permit ip Central 255.255.255.0 10.213.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.213.1.0 255.255.255.0 Central 255.255.255.0
access-list satelite_1_cryptomap extended permit ip 10.213.1.0 255.255.255.0 Central 255.255.255.0
access-list satelite_access_in extended permit ip Central 255.255.255.0 10.213.1.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound
access-group inside_access_in in interface inside
access-group mpls_access_in in interface mpls
access-group satelite_access_in in interface satelite
route mpls Central 255.255.255.0 172.17.1.2 1 track 124
route satelite Central 255.255.255.0 172.18.1.2 200 track 125
route outside 0.0.0.0 0.0.0.0 192.168.1.52 1
route mpls 172.16.1.0 255.255.255.0 172.17.1.2 1
route satelite 192.168.1.51 255.255.255.255 172.18.1.1 1
timeout xlate 3:00:00

timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy

sla monitor 2
type echo protocol ipIcmpEcho 172.16.1.1 interface mpls
num-packets 3
frequency 10
sla monitor schedule 2 life forever start-time now
sla monitor 3
type echo protocol ipIcmpEcho 172.18.1.2 interface satelite
num-packets 3
frequency 10
sla monitor schedule 3 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map satelite_map 1 match address satelite_1_cryptomap
crypto map satelite_map 1 set pfs
crypto map satelite_map 1 set peer 192.168.1.51
crypto map satelite_map 1 set transform-set ESP-3DES-SHA
crypto map satelite_map interface satelite
crypto isakmp enable satelite
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 124 rtr 2 reachability
!
track 125 rtr 3 reachability
telnet timeout 5

tunnel-group 192.168.1.51 type ipsec-l2l
tunnel-group 192.168.1.51 ipsec-attributes
pre-shared-key *

Found this link that might help. I did a quick read of it and it looks like you may only need to just track 1 route instead of both.