Cisco ASA Site to Site VPN Failover How-To

Policy based IPSEC tunneling is probably the most widely used technique to get two offices to communicate securely (at least in the SMB Market).

Today I’m going to discuss how you can configure two ASA’s to failover to their secondary WAN, and then have their tunnels fail over as well.

One should always aim for having two ISPs if the business needs to rely on the tunnel. The question to ask ones self is “If this tunnel goes down, can I continue working?”

If the answer is no, then you need a secondary ISP at a minimum.

 

I’m going to begin the config for ASAv-1 (left network)…

 

First let’s get some basic “optimizations” out of the way:

 

The below allows the asa to keep track of ICMP and let it pass through (does it by IP and expected code reply)

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

The first command prevents TCP fragmentation in the future tunnels by clamping the MSS.

The second command preserves session tables if the VPN bounces (quicker recovery).

sysopt connection tcpmss 1350

sysopt connection preserve-vpn-flows

 

Now let’s configure the LAN and WAN and their security levels.

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.0.0.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside2
security-level 0
ip address 1.0.1.1 255.255.255.0
!

Configure an IP SLA monitor to ping google via the first outside interface.

sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
timeout 6000
frequency 10
sla monitor schedule 1 life forever start-time now

Connect a track object to the IP SLA so we can reference in the route later.

track 1 rtr 1 reachability

Tell the ASA to use Outside as the primary WAN and failover to Outside2 when the track object fails.

route outside 0.0.0.0 0.0.0.0 1.0.0.2 1 track 1
route outside2 0.0.0.0 0.0.0.0 1.0.1.2 2

Configure basic dynamic PAT for both WAN interfaces.

nat (inside,outside) after-auto source dynamic any interface
nat (inside,outside2) after-auto source dynamic any interface

 

Now let’s configure the VPN:

Enable ikev1 listening on both WAN interfaces.

crypto ikev1 enable outside
crypto ikev1 enable outside2

Set our preferred IKE policy for all VPNs.

crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

Create the tunnel groups for both WAN links on the other side, with the same shared secret.

tunnel-group 2.0.0.1 type ipsec-l2l
tunnel-group 2.0.0.1 ipsec-attributes
ikev1 pre-shared-key password
tunnel-group 2.0.1.1 type ipsec-l2l
tunnel-group 2.0.1.1 ipsec-attributes
ikev1 pre-shared-key password

Configure the ACL for matching the traffic to be protected.

object network lan
subnet 192.168.1.0 255.255.255.0
object network remote
subnet 192.168.2.0 255.255.255.0
access-list vpn extended permit ip object lan object remote

Configure the IPSEC encryption parameters.

crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac

Configure the crypto map for the tunnel, with two peers, then add it to both WAN interfaces.

crypto map vpn_map 10 match address vpn
crypto map vpn_map 10 set peer 2.0.0.1 2.0.1.1
crypto map vpn_map 10 set ikev1 transform-set myset

crypto map vpn_map interface outside
crypto map vpn_map interface outside2

Finally configure the identity NAT so that the traffic traverses properly.

nat (inside,outside) source static lan lan destination static remote remote no-proxy-arp route-lookup
nat (inside,outside2) source static lan lan destination static remote remote no-proxy-arp route-lookup

Now let’s configure the right network’s ASA. I will put that whole config down here since it’s basically a mirror.

!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 2.0.0.1 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface GigabitEthernet0/2
 nameif outside2
 security-level 0
 ip address 2.0.1.1 255.255.255.0  
!

object network lan
 subnet 192.168.2.0 255.255.255.0
object network remote
 subnet 192.168.1.0 255.255.255.0
access-list vpn extended permit ip object lan object remote 


nat (inside,outside) source static lan lan destination static remote remote no-proxy-arp route-lookup
nat (inside,outside2) source static lan lan destination static remote remote no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic any interface
nat (inside,outside2) after-auto source dynamic any interface

route outside 0.0.0.0 0.0.0.0 2.0.0.2 1 track 1
route outside2 0.0.0.0 0.0.0.0 2.0.1.2 2

sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows

sla monitor 1
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
 timeout 6000
 frequency 10
sla monitor schedule 1 life forever start-time now

crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac 

crypto map vpn_map 10 match address vpn
crypto map vpn_map 10 set peer 1.0.0.1 1.0.1.1 
crypto map vpn_map 10 set ikev1 transform-set myset
crypto map vpn_map interface outside
crypto map vpn_map interface outside2

crypto ikev1 enable outside
crypto ikev1 enable outside2
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 1 reachability
tunnel-group 1.0.0.1 type ipsec-l2l
tunnel-group 1.0.0.1 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 1.0.1.1 type ipsec-l2l
tunnel-group 1.0.1.1 ipsec-attributes
 ikev1 pre-shared-key *****

policy-map global_policy
 class inspection_default
  inspect icmp 
  inspect icmp error 

Use the “show vpn-sessiondb l2l” command to view the status of the tunnel, like below.

 

healthy tunnel will have both TX and RX Bytes showing.

An unhealthy tunnel will either show “There are presently no active sessions” or it might show  some TX or RX, but not both.

It also helps of course to just ping across the tunnel, here I am pinging from 2.10 to 1.10.

 

 

Ok now let’s initiate some failover and test:

Shut down the primary WAN on ASA 2 (right network). Let’s confirm which interface that is:

Perfect, looks to be G0/0 as we expected.

Run this debug command to confirm IPSEC failover.

debug crypto ipsec 128

Ok now shut off int g0/0.

Ok let’s confirm the track object did its job and failed over to our static default route with an AD of 2.

Yup, looks like we are good there.

Now If I ping again from 2.10 to 1.10 the tunnel should renegotiate.

We also would see these decrypt messages from the ASA.

Perfect the failover worked. Now do an “undebug all” in global config mode to return the ASA back to normal.