Cisco IOS to PIX/ASA MultiPeer Config

Posted on 2006-11-07
Last Modified: 2008-01-09
Dear sirs, I need your help.

We have a Cisco PIX515E at the central site serving VPNs to spoke Cisco 871 routers. Config extracts follow.

We've dual homed the PIX using route tracking, making the secondary ISP just a hot standby path, and want to cause the 871s to automatically switch. Cisco IOS doc. suggests that multiple ipsec peer statements will do the trick, but I must not be configuring it correctly. When I force a switch to our secondary ISP, the 871's appear to keep banging away at our primary address and not trying to use the secondary peer path.

Our releases are PIX/ASA: 7.2(1-24) and IOS 12.4(9)T AdvIPServ.

****************************** The 871 config **********************************
!! Cisco 871, config for Spoke network, with:
! dhcp assigned outside address
! outbound pat, ntp,
! basic firewalling
! static vpn to PIX515 with manual selection Widomaker/Cox
! qos based on rfc2597/2598 differentiated services
! dhcp server with hosts below 100 excluded
version 12.4
crypto isakmp key SharedSecret address w.w.w.w
crypto isakmp key SharedSecret address c.c.c.c
crypto isakmp keepalive 10 2 periodic
crypto map hqvpn 11 ipsec-isakmp
 set security-associaation idletime 120
 set peer w.w.w.w preferred
 set peer c.c.c.c
 set transform-set ...
 match address 120
 qos pre-classify
! use f0-f4 as 4 port switch for vlan1 i/f
interface FastEthernet0
 no ip address
interface FastEthernet4
 description Outside
 ip address dhcp client-id FastEthernet4
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 crypto map hqvpn
 service-policy output cbwfq_policy
interface Vlan1
 description Inside
 ip address
 ip nbar protocol-discovery
 ip nat inside
 ip inspect firewall in
 ip virtual-reassembly
 ip tcp adjust-mss 1452
! service-policy output cbwfq_policy
ip classless
ip nat inside source list 121 interface FastEthernet4 overload
access-list 101 remark inbound
access-list 120 remark select vpn traffic
access-list 120 permit ip
access-list 121 remark nat all but vpn traffic
access-list 121 deny ip
access-list 121 permit ip any

****************************** The PIX515E config ******************************
PIX Version 7.2(1)24
! Widomaker w.w.w.w our assigned address
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address w.w.w.w m.m.m.m
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address
! Cox Cable c.c.c.c our assigned address
interface Ethernet3
 speed 100
 duplex full
 nameif backup
 security-level 0
 ip address c.c.c.c m.m.m.m
global (outside) 10 interface
global (backup) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10
access-group outside_access_in in interface outside
access-group backup_access_in in interface backup
route outside w.w.w.gateway 1 track 1
route backup c.c.c.gateway 244
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 5
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 client-firewall none
 client-access-rule none
! winside is an address inside Widomaker (our primary ISP)
sla monitor 123
 type echo protocol ipIcmpEcho w.w.w.winside interface outside
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set fast ...
crypto dynamic-map dynmap 20 set transform-set fast
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto map mymap interface backup
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable backup
crypto isakmp policy 10
 authentication pre-share
 encryption ...
 hash ...
 group .
 lifetime none
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  60
track 1 rtr 123 reachability
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key SharedSecret
telnet inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
management-access inside
priority-queue outside
priority-queue inside
class-map voip
 match dscp ef
class-map rtp2
 match rtp 51000 256
class-map rtp1
 match rtp 28000 256
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
policy-map qos
 class voip
 class rtp2
 class rtp1
 class class-default
service-policy global_policy global
Question by:GLGARRISON
  • 4
  • 2
LVL 14

Accepted Solution

Joseph Hornsey earned 500 total points
ID: 17891554
I'd try configuring your Dead Peer Detection differently.

Try this (on the 871's):

Change the preferred peer to "set peer w.w.w.w default".
Change the keep-alives to "crypto isakmp keepalive 10 on-demand" (You may not have to specify the number of seconds if it's on-demand vs. periodic... I can't remember off the top of my head)
Change the SA idletime to "set security-association idletime 120 default"

Let me know if that works.


Author Comment

ID: 17898932
Thanks, SplinterCell5894.

Great catch on the preferred peer syntax. I agree, something's keeping dpd from doing it's job (probably me).

I'll try and report back. It's the production system (wish I had a some spare hardware to test with) so it'll take a maintenance interval to change and test.

Best regards,
LVL 14

Expert Comment

by:Joseph Hornsey
ID: 17899111

Nah.  Just do it anyway and then tell them your phone company dropped a line (or there were sun spots which caused interference with communications satellites or something else that sounds really technical).  :)

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.


Author Comment

ID: 17901749
:-) Woohoo, it works! Way to go eagle eye SplinterCell5894!

Oh yeah, today was a really bad day for sunspots... good thing they didn't last long!

It's ok to accept a comment as an answer, isn't it? Or is there another protocol.
Darned, and I thought it was going to be a hard one. Had me stumped!
LVL 14

Expert Comment

by:Joseph Hornsey
ID: 17903685
Nope.... I think you actually have to select an answer to accept.  Then you give it a grade.

If you look on the right side of the screen next to the correct posted answer, you'll see a button that says "Accept".

Then, you give a grade A, B or C.  The grade you give determines the amount of points awarded.

Glad that worked for you!!!


LVL 14

Expert Comment

by:Joseph Hornsey
ID: 17903746

By the way...

Here's a great web site for you:

You can actually subscribe to an RSS feed which gives you the Excuse of the Day.  Here are the last few:

failure of the AE-35 unit
neutrino interactions
solar flares
the lack of an American work ethic
tsunamis in the wave-division multiplexer
a squirrel chewed through the cables
an incorrectly polarized packet accelerator
nobody forwarded that memo
line noise from rats in the wall
La Nina

I like La Nina, solar flares and the incorrectly polarized packet accelerator,  :)



Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Accessing two networks from one PC 30 113
How do I allow multiple VLANs internet access on a Cisco ASA 5505? 8 38
Netgear modem router default firmware 11 32
DHCP Reservations 17 30
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question