Home
Certification Preparation
Cisco
CCNP
switch vpn to backup vpn on asa (configure ipsec for dual ISP on ASA )
dido32
ello,
Could you help me?
I Have configured VPNipsec on asa, i use 'sla monitor track' for duel ISP.
Problem for me: I use two interfaces(outside for ISP1, backup FOR ISP2):
1-when outside interface is down(i
i disconnec
cable
) vpn switch automatically.
2-but when ISP1 is down (outside interface is up) my internet switch to backup interface , i have internet.
but my vpn is down
even my SLA detecte that pind doesn't work
my default getway switch to second ISP, but i have to reset my vpn to work
3-i noticed also that my vpn don't come back working if i have juste short problem connexion i have also reset my vpn
even i have these:
When I type bebug crypto isakmp sa i get
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : aes Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 85981
it seems fine BUT
and when i type sh crypto ipsec sa i get
interface:
outside
(should be backup interface)
i was trying to follow what happens when my ISP is down , i enable debug isakmp ans ipsec
when i type debug crypto isakmp 127 I get
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
without stopping that mean my phase1 and two don't complete
ofcourse for debug crypto ipsec 127 nothing happens
regards
Find more posts tagged with
Comments
7of9
If it's not completing the isakmp handshake process, then there won't be any debugs for ipsec. You may have better luck posting this in the CCNP: Security forum. In addition, do you have the rest of the configuration for the "sla monitor track?"
In my limited experience with it, failover with VPN on an ASA is cludgy. I think we got it working for one customer, but I remember it being a battle of wills!
dido32
ok I Will post in the CCNP forum with my config
thanks
networker050184
I've merged the two threads together. No need for separate threads.
f0rgiv3n
dido32, what happens when you clear the SAs when ISP1 is down? Does it renegotiate using the secondary ISP interface?
The command is:
clear crypto isakmp sa
clear crypto ipsec sa
Also, do you have any other static routes that you put in there besides the default routes?
f0rgiv3n
OK this makes me think you need to look into enabling keepalives for your VPN. By enabling keepalives it'll check to see if the remote peer is responding. If it doesn't, it'll tear down the VPN. Then once it's torn down it'll renegotiate the isakmp sa. This configuration is done inside the tunnel-group.
"isakmp keepalive"
dido32
thank you , I will try it but which side I have to configure isakmp keeplive? both side?
f0rgiv3n
Well, there's some debate to which side needs it but I would go with the side that you issued the "clear crypto isakmp sa". There have been issues with putting keepalives on both sides.
The issue you are having is that the security associations are still "valid" on the ISP1 interface because the lifetime hasn't expired. Since keepalives aren't enabled it just keeps it until the interface itself goes down or the lifetime expires. What this does is it makes it so the ASA doesn't know that it needs to renegotiate the tunnel.
By enabling keepalives it will constantly reach out to the peer to see if it's responsive. If it doesn't respond and the threshold is broken, it tears down the tunnel and all SAs are removed. Thus, when you send traffic again destined for the tunnel, it renegotiates and recognizes that it cannot communicate using ISP1 interface so it then uses the ISP2 interface to create the tunnel.
dido32
thank you for your answer.
I have configured :
isakmp keepalive threshold 20 retry 2
But still i have the same message when I type debug crypto isakmp 127
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
without stopping
thanks
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
