switch vpn to backup vpn on asa (configure ipsec for dual ISP on ASA )

dido32dido32 Member Posts: 4 ■□□□□□□□□□
ello,
Could you help me?
I Have configured VPNipsec on asa, i use 'sla monitor track' for duel ISP.
Problem for me: I use two interfaces(outside for ISP1, backup FOR ISP2):
1-when outside interface is down(i i disconnec cable ) vpn switch automatically.
2-but when ISP1 is down (outside interface is up) my internet switch to backup interface , i have internet.
but my vpn is down
even my SLA detecte that pind doesn't work
my default getway switch to second ISP, but i have to reset my vpn to work
3-i noticed also that my vpn don't come back working if i have juste short problem connexion i have also reset my vpn
even i have these:
When I type bebug crypto isakmp sa i get
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : aes Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 85981

it seems fine BUT
and when i type sh crypto ipsec sa i get
interface: outside (should be backup interface)


i was trying to follow what happens when my ISP is down , i enable debug isakmp ans ipsec

when i type debug crypto isakmp 127 I get

[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
without stopping that mean my phase1 and two don't complete
ofcourse for debug crypto ipsec 127 nothing happens
regards

Comments

  • 7of97of9 Member Posts: 76 ■■■□□□□□□□
    If it's not completing the isakmp handshake process, then there won't be any debugs for ipsec. You may have better luck posting this in the CCNP: Security forum. In addition, do you have the rest of the configuration for the "sla monitor track?"

    In my limited experience with it, failover with VPN on an ASA is cludgy. I think we got it working for one customer, but I remember it being a battle of wills! :)
    Working on Security+ study, then going back to re-do my Cisco Certs, in between dodging moose and riding my Harley
  • dido32dido32 Member Posts: 4 ■□□□□□□□□□
    ok I Will post in the CCNP forum with my config
    thanks
  • networker050184networker050184 Mod Posts: 11,962 Mod
    I've merged the two threads together. No need for separate threads.
    An expert is a man who has made all the mistakes which can be made.
  • f0rgiv3nf0rgiv3n Member Posts: 598 ■■■■□□□□□□
    dido32, what happens when you clear the SAs when ISP1 is down? Does it renegotiate using the secondary ISP interface?
    The command is:
    clear crypto isakmp sa
    clear crypto ipsec sa

    Also, do you have any other static routes that you put in there besides the default routes?
  • f0rgiv3nf0rgiv3n Member Posts: 598 ■■■■□□□□□□
    OK this makes me think you need to look into enabling keepalives for your VPN. By enabling keepalives it'll check to see if the remote peer is responding. If it doesn't, it'll tear down the VPN. Then once it's torn down it'll renegotiate the isakmp sa. This configuration is done inside the tunnel-group.
    "isakmp keepalive"
  • dido32dido32 Member Posts: 4 ■□□□□□□□□□
    thank you , I will try it but which side I have to configure isakmp keeplive? both side?
  • f0rgiv3nf0rgiv3n Member Posts: 598 ■■■■□□□□□□
    Well, there's some debate to which side needs it but I would go with the side that you issued the "clear crypto isakmp sa". There have been issues with putting keepalives on both sides.

    The issue you are having is that the security associations are still "valid" on the ISP1 interface because the lifetime hasn't expired. Since keepalives aren't enabled it just keeps it until the interface itself goes down or the lifetime expires. What this does is it makes it so the ASA doesn't know that it needs to renegotiate the tunnel.

    By enabling keepalives it will constantly reach out to the peer to see if it's responsive. If it doesn't respond and the threshold is broken, it tears down the tunnel and all SAs are removed. Thus, when you send traffic again destined for the tunnel, it renegotiates and recognizes that it cannot communicate using ISP1 interface so it then uses the ISP2 interface to create the tunnel.
  • dido32dido32 Member Posts: 4 ■□□□□□□□□□
    thank you for your answer.
    I have configured : isakmp keepalive threshold 20 retry 2

    But still i have the same message when I type debug crypto isakmp 127
    [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    without stopping

    thanks
Sign In or Register to comment.