ip sla for tunnel tracking

Bl8ckr0uter

How often is this used? I'll have to draw a diagram later but basically I have a router that is terminating two vpn connections to two asas. This is a POC for something I need to do for a few customers. We want to avoid using any routing protocols if possible. I want one used as the primary and one used as the backup. I tried to use one crypto map and use the prefer option to do this but it did not work. So what I am trying to do is use a floating route that is tired to a tracking interface (which will be controlled by sla) and then use another router with a very high metric so that if the sla route dies, the other route should be used. I am just wondering if anyone has done this in production and has seen any issues with route flapping. Say the sla route dies but then comes back, it shouldn't matter to us on the other side of the tunnel since both ASAs can get to the same place but to them they will lose a few pings. That could be an issue. Just wondering if anyone has a better perspective. I have checked out quite a few links but here are the gems:

Configuring High Availability Features for Site-to-Site IPSec VPNs  [IPSec Negotiation/IKE Protocols] - Cisco Systems
IPSec Stateful Failover (VPN High Availability) Feature Module - Cisco Systems
HA for IPSec VPN using IP SLA - Knowledge Base
NIL - Designing Site-to-Site IPsec VPNs
High Availability Site-to-Site IPSec VPNs « A Networker Blog.-

ColbyG

I've used SLA quite a bit for different things. It should work well for you. If you're concerned about flapping, look into the settings. You can tell the router to wait before pulling the object.

Bl8ckr0uter

Excellent. Hopefully it should work out because we really don't want to run routing protocols through the tunnels although with RRI we really shouldn't have to (I don't think). This is an epic little tool btw.

cisco_trooper

Hah. Off-topic but your use of the word "epic" reminded me of something from the best website on the internet. Some guy rants about people using the word epic. It is quite comical for those who can appreciate "jerk" humor for lack of a better word.

Not everything is epic, you shitheads.

and don't flame me, I'm not responsible for the appearance of the link.

Bl8ckr0uter

Well maybe you can help me cisco trooper lol

I have a problem. I cannot seem to get the ipsec tunnel to failover to the other device. It only works on the primary device. Before you ask, these are not production and I know there are some things I really need to clean up. I just haven't done it because these are my learning ASAs. Here are my configs:


Main Router:

Current configuration : 2312 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname customer
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
!
!
ip cef
!
!
!
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
track 1 rtr 1 reachability
!
track 10 rtr 2 reachability
!
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key cisco123! address 2.2.2.2 no-xauth
crypto isakmp key cisco123! address 2.2.2.22 no-xauth
!
!
crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
 set peer 2.2.2.2
 set peer 2.2.2.22
 set transform-set VPN
 set pfs group5
 match address VPNACL
!
!
!
!
!
interface Loopback1
 description inside test server
 ip address 192.168.8.1 255.255.255.255
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description outside
 ip address 1.1.1.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map VPN
!
ip route 10.40.0.1 255.255.255.255 2.2.2.2 track 1
ip route 2.2.2.2 255.255.255.255 FastEthernet0/1
ip route 2.2.2.22 255.255.255.255 FastEthernet0/1
ip route 10.40.0.1 255.255.255.255 2.2.2.22 254
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map NONAT interface FastEthernet0/1 overload
!
ip access-list extended NONAT
 remark This is the access-list that controls what goes across the vpn tunnel and what goes across the inter
 remark This is the access-list that controls what goes across the vpn tunnel and what goes across the inter
 remark This is the access-list that controls what goes across the vpn tunnel and what doesnt
 remark This is the access-list that controls what goes across the vpn tunnel and what doesn't.
 deny   ip host 192.168.8.1 host 10.40.0.1
 permit ip any any
ip access-list extended VPNACL
 permit ip host 192.168.8.1 host 10.40.0.1
!
ip sla 1
 icmp-echo 2.2.2.2
 timeout 1000
 threshold 2
 frequency 3
ip sla schedule 1 life forever start-time now
!
!
!
route-map nonat permit 10
 match ip address NONAT
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
scheduler allocate 20000 1000
!
end

ASA 1 (Primary and working ASA):

ASA Version 8.3(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 2.2.2.2 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.0.0.40 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif man
 security-level 0
 ip address 8.8.8.8 255.255.255.0
!
ftp mode passive
same-security-traffic permit intra-interface
object network VPNLOCAL
 host 10.40.0.1
object network VPNREMOTE
 host 192.168.8.1
access-list VPN_LIST extended permit ip host 10.40.0.1 host 192.168.8.1
access-list TEST extended permit ip any any log
access-list TEST extended permit udp any any log
access-list TEST extended permit esp any any log
access-list TEST extended permit tcp any any log
access-list InsideIN extended permit icmp any any
access-list OutsideOut extended permit ip any any
access-list OutsideOut extended permit icmp any any
pager lines 24
logging console debugging
logging buffered debugging
logging trap notifications
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu man 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static VPNLOCAL VPNLOCAL destination static VPNREMOTE VPNREMOTE
access-group OutsideOut in interface outside
access-group TEST out interface outside
access-group TEST in interface inside
access-group InsideIN out interface inside
!
router ospf 1
 network 10.0.0.0 255.255.255.0 area 0
 log-adj-changes
!
route outside 1.1.1.0 255.255.255.0 2.2.2.2 1
route outside 2.2.2.0 255.255.255.0 1.1.1.1 1
route outside 192.168.8.0 255.255.255.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN_STANDARD esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN 1 match address VPN_LIST
crypto map VPN 1 set pfs group5
crypto map VPN 1 set peer 1.1.1.1
crypto map VPN 1 set transform-set VPN_STANDARD
crypto map VPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 man
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ca9ac9a937814e7c7944458cc8923fd9
: end

Secondary ASA (not working)

:
ASA Version 8.3(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 2.2.2.22 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.0.0.240 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif man
 security-level 0
 ip address 8.8.8.88 255.0.0.0
!
boot system disk0:/asa832-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
object network VPNLOCAL
 host 10.40.0.1
object network VPNREMOTE
 host 192.168.8.1
access-list VPN_LIST extended permit ip host 10.40.0.1 host 192.168.8.1
access-list TEST extended permit ip any any log
access-list TEST extended permit udp any any log
access-list TEST extended permit esp any any log
access-list TEST extended permit tcp any any log
access-list InsideIN extended permit icmp any any
access-list OutsideOut extended permit ip any any
access-list OutsideOut extended permit icmp any any
pager lines 24
logging enable
logging console debugging
logging buffered debugging
logging trap notifications
logging asdm informational
mtu man 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static VPNLOCAL VPNLOCAL destination static VPNREMOTE VPNREMOTE
access-group OutsideOut in interface outside
access-group TEST out interface outside
!
router ospf 1
 network 10.0.0.0 255.255.255.0 area 0
 log-adj-changes
!
route outside 1.1.1.1 255.255.255.255 2.2.2.22 1
route outside 2.2.2.0 255.255.255.0 1.1.1.1 1
route outside 192.168.8.0 255.255.255.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN_STANDARD esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN 1 match address VPN_LIST
crypto map VPN 1 set pfs group5
crypto map VPN 1 set peer 1.1.1.1
crypto map VPN 1 set transform-set VPN_STANDARD
crypto map VPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 man
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3233c60cf617a6cb6a923b55656f848f
: end
%ASA-7-111009: User 'enable_15' executed cmd: show running-config

Bl8ckr0uter

Any thoughts anyone?

unclerico

Is the failover tunnel established? Have you enabled any debugging on the devices to see what is happening?

Also, have you given any thought to swapping the ASA devices for Cisco routers so you can use route-based VPN with SVTIs? I know you said you didn't want to run a routing protocol over the tunnels but you could throw a simple EIGRP or OSPF config into the mix and let the routing protocols handle failover. just a thought...

Bl8ckr0uter

It isn't even trying to establish a tunnel with the failover device.

Oh and it has to be ASAs for other reasons (mainly reliable stateful failover).

Is what you are suggesting something like this:

http://packetlife.net/blog/2011/aug/17/policy-based-vs-route-based-vpns-part-2/

ColbyG

How are you testing this? What exactly is happening? We need some details.

Bl8ckr0uter

The "customer" router first sets up a vpn tunnel with the main asa (and works fine). Then what I try to do is simply unplug the "internet" connection on the working asa,. The route changes due to sla on the customer router but the vpn never tried to negotiate on the nonworking asa. Then I try to simpy set the connection up on the nonworking asa (by clearing the crypto session and leaving the "internet" connection down on the working asa). This doesn't work either. The route changes but the tunnel never tries to work on the nonworking asa. The configs are exactly the same (I literally changed two ips and copied and pasted from one asa to another) and I have peer entries for both.

Panzer919

I had a GRE site that had issues with flapping. Since neither the local interface nor the local IP address ever dropped off no routing changes occurred. This is what I had to put in place to get the routing to change

ip sla 1
icmp-echo y.y.y.y (remote side of tunnel)
frequency 5
ip sla schedule 1 life forever start-time now

Interface vlan100
standby 0 ip x.x.x.x
standby 0 priority 150
standby 0 preempt
standby 0 track 1 decrement 100


​Hope this helps

Bl8ckr0uter

Ok I figured out the problem with the secondary device and corrected. I have attached a document to help with my idea.

The first problem was a simply misconfiguration of a psf so that was totally a goof on my side. The second one was a routing problem. So on the endpoint device there was a static route pointing to the LAN ip address of the primary ASA as the way to get to 192.168.8.1 (the customer endpoint). Once I unpluged the "internet" side of the primary ASA, the static routing on the customer endpoint failed over via sla and it worked. Once I changed the static route on the endpoint router the tunnel fully functioned. The problem is I want this to happen automagically. I no longer have the restriction of not using routing protocols. So if I advertise 192.168.8.1 on the customer router side and send it through the tunnel and then let those routes get injected via ospf on the firewall (and lan equipment) this should do what I want correct? I mean my only real concern is that when we go live with this I want it to fail over automatically in the event of direct or indirect failures. Does this solution look sound oh mighty CCNPs?

Bl8ckr0uter

Well I ended up switching out the Firewalls for two 2901s. Route based VPN for the win! Now I just need to get rsa-encry going and we will be all set. I'll probably post some configs later just for concluding the thread.

unclerico

Bl8ckr0uter wrote: »

Well I ended up switching out the Firewalls for two 2901s. Route based VPN for the win! Now I just need to get rsa-encry going and we will be all set. I'll probably post some configs later just for concluding the thread.

You took my advice ...much better than the old policy-based way of doing things!!

Bl8ckr0uter

unclerico wrote: »

You took my advice ...much better than the old policy-based way of doing things!!

Yea it is pretty epic. Once the certificate based authentication works I'll be set.