I recently came across this scenario where a customer had two internet links terminating on his ASA from two different ISPs. If his primary link (ISP2) was unavailable, he wanted the Site-to-Site VPN to fail over to the backup link (ISP3). This post shows you how to configure a firewall having two internet links using the SLA monitoring feature to get the required redundancy for the Site-to-Site VPN.
The site having two ISPs (in this case, FW2) is the one that needs major changes. Basic site-to-site configuration remains the same and only additional configuration for the backup peer IP 3.3.3.1 is covered under this post.
On FW1:
2.2.2.1 is the primary peer IP for this VPN whose configuration is already in place and the tunnel is up and working.
1. Create tunnel group for the backup peer IP.
tunnel-group 3.3.3.1 type ipsec-l2l tunnel-group 3.3.3.1 ipsec-attributes ikev1 pre-shared-key cisco
2. Add the backup peer IP to the existing crypto map for 2.2.2.1 and make sure the connection-type is set to bi-directional (which is the default).
crypto map outside_map 10 set peer 2.2.2.1 3.3.3.1 crypto map outside_map 10 set connection-type bi-directional
On FW2:
Interface configuration on FW2 firewall.
interface GigabitEthernet0 description Connected to ISP2 - Primary link nameif outside security-level 0 ip address 2.2.2.1 255.255.255.0 ! interface GigabitEthernet1 description Connected to ISP3 - Backup link nameif outside2 security-level 0 ip address 3.3.3.1 255.255.255.0
1. Create an SLA monitor to monitor the gateway IP of ISP2 (primary link). Add a default route pointing towards the gateway IP of ISP3 (secondary link) with an AD value 254. Track it using the SLA monitor.
sla monitor 10 type echo protocol ipIcmpEcho 2.2.2.2 interface outside frequency 5 sla monitor schedule 10 life forever start-time now ! track 1 rtr 10 reachability ! route outside 0.0.0.0 0.0.0.0 2.2.2.2 1 track 1 route outside2 0.0.0.0 0.0.0.0 3.3.3.2 254
2. IKEv1 and ‘crypto map outside_map’ is already enabled and applied on the outside interface. When the ISP2 link goes down, the outside2 interface will be terminating the VPN and the following needs to be done for the VPN to establish. Also check for the connection-type which should be set to bi-directional (be default).
Enable ‘crypto ikev1’ and apply the ‘outside_map’ on the outside2 interface;
Existing config:
crypto ikev1 enable outside crypto map outside_map interface outside crypto map outside_map 10 set connection-type bi-directional
Additional config:
crypto ikev1 enable outside2 crypto map outside_map interface outside2
3. Create additional NAT statements for outside2 interface mirroring with your existing NAT.
Existing NAT:
nat (inside,outside) source static 10.2.2.0-24 10.2.2.0-24 destination static 10.1.1.0-24 10.1.1.0-24 no-proxy-arp route-lookup nat (inside,outside) after-auto source dynamic any interface
Additional NAT:
nat (inside,outside2) source static 10.2.2.0-24 10.2.2.0-24 destination static 10.1.1.0-24 10.1.1.0-24 no-proxy-arp route-lookup nat (inside,outside2) after-auto source dynamic any interface
I have an old Pix 6.3, any idea what the equivalent command is for the: crypto map outside_map 10 set connection-type bi-directional ??
The ‘set connection-type’ command was introduced by Cisco since version 7.0. So, 6.3 code does not have a command for changing the connection-type and it’s safe to assume that it’s set to bi-directional by default.
Here’s the link to that Cisco documentation which shows the version of software which supports this command;
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml#backup
Hope that helps :)
I do not know if it’s just me or if everyone else encountering issues with your
website. It seems like some of the written text
in your posts are running off the screen. Can somebody else please comment and let mme
know if this iis happening to them too? This could be a issue wih my browser because I’ve had this
happen before. Kudos
Hey,
Yes, the blog has a problem with IE and maybe even firefox. The CSS code that I have on my blog isn’t compatible with those browsers. Try using Chrome and it should be fine. :)
In the near future I’ll try to get some time out of my hectic work schedule to fix this. It’s been on my to-do list for a long time now.
Thanks,
Shoaib
Superb post bro :)
Hi Shoeb,
This post helped a lot.
However, we are having issues with failover or primary to backup.
Can you please review below config and advise if my understanding right or any modification is required.
***************************** Site A ************************************
sla monitor 123
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
route outside 0.0.0.0 0.0.0.0 175.143.73.169 1 track 1
route backup 0.0.0.0 0.0.0.0 218.111.150.225 254
crypto ikev1 enable outside
crypto ikev1 enable backup
crypto map outside_map1 interface outside
nat (inside,outside) source static FMYHQ FMYHQ destination static obj-175.143.45.186 obj-175.143.45.186 no-proxy-arp route-lookup
nat (inside,any) source static FMYHQ FMYHQ destination static WarehouseRemote WarehouseRemote no-proxy-arp route-lookup
nat (inside,any) source static any any destination static WarehouseRemote WarehouseRemote no-proxy-arp route-lookup
access-list inside_access_in line 3 extended permit ip any4 object WarehouseRemote
access-list outside_cryptomap_10 line 1 extended permit ip any4 object WarehouseRemote
******************* Site B ***************************
tunnel-group 175.143.73.170 type ipsec-l2l
tunnel-group 175.143.73.170 ipsec-attributes
tunnel-group 218.111.150.226 type ipsec-l2l
tunnel-group 218.111.150.226 ipsec-attributes
crypto map BACKUP_map 1 match address BACKUP_1_cryptomap
crypto map BACKUP_map 1 set pfs group1
crypto map BACKUP_map 1 set peer 175.143.73.170 218.111.150.226
crypto map BACKUP_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map BACKUP_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map BACKUP_map interface BACKUP
——————————————————————————————————-
Regards,
Sharad
require same set of configuration for checkpoint firewall , can any one help
Kindly assist I’m not able to apply the command
ASA5506 (config)# crypto map outside_map interface backup
ERROR: crypto map has entries with reverse-route injection enabled
Cannot attach to multiple interfaces
is any other way to enable the crypto map at 2 interfaces at the same time and work this redundancy scenario.
Thank You,
Mohamed
If possible, create a separate crypto-map without the reverse-route injection command.
Reverse-route option is generally used for remote-access VPN IP pool. You can also manually add a static route for those local IP pools pointing to your outside interface and get rid of the reverse-route injection command in the crypto map.
Hope that helps
Regards,
Shoaib
Just to give feedback, the best way to test this is shutting down the interface that you dont want to be used rather than pulling cables from interfaces. This causes a huge delay which can cause the Ip Sec failure to establish session.
[…] Site-to-Site VPN with dual ISP for backup/redundancy […]