Cisco IOS to PIX/ASA MultiPeer Config

Dear sirs, I need your help.

We have a Cisco PIX515E at the central site serving VPNs to spoke Cisco 871 routers. Config extracts follow.

We've dual homed the PIX using route tracking, making the secondary ISP just a hot standby path, and want to cause the 871s to automatically switch. Cisco IOS doc. suggests that multiple ipsec peer statements will do the trick, but I must not be configuring it correctly. When I force a switch to our secondary ISP, the 871's appear to keep banging away at our primary address and not trying to use the secondary peer path.

Our releases are PIX/ASA: 7.2(1-24) and IOS 12.4(9)T AdvIPServ.

****************************** The 871 config **********************************
!! Cisco 871, config for Spoke network, with:
! dhcp assigned outside address
! outbound pat, ntp,
! basic firewalling
! static vpn to PIX515 with manual selection Widomaker/Cox
! qos based on rfc2597/2598 differentiated services
! dhcp server with hosts below 100 excluded
version 12.4
crypto isakmp key SharedSecret address w.w.w.w
crypto isakmp key SharedSecret address c.c.c.c
crypto isakmp keepalive 10 2 periodic
crypto map hqvpn 11 ipsec-isakmp
 set security-associaation idletime 120
 set peer w.w.w.w preferred
 set peer c.c.c.c
 set transform-set ...
 match address 120
 qos pre-classify
! use f0-f4 as 4 port switch for vlan1 i/f
interface FastEthernet0
 no ip address
interface FastEthernet4
 description Outside
 ip address dhcp client-id FastEthernet4
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 crypto map hqvpn
 service-policy output cbwfq_policy
interface Vlan1
 description Inside
 ip address
 ip nbar protocol-discovery
 ip nat inside
 ip inspect firewall in
 ip virtual-reassembly
 ip tcp adjust-mss 1452
! service-policy output cbwfq_policy
ip classless
ip nat inside source list 121 interface FastEthernet4 overload
access-list 101 remark inbound
access-list 120 remark select vpn traffic
access-list 120 permit ip
access-list 121 remark nat all but vpn traffic
access-list 121 deny ip
access-list 121 permit ip any

****************************** The PIX515E config ******************************
PIX Version 7.2(1)24
! Widomaker w.w.w.w our assigned address
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address w.w.w.w m.m.m.m
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address
! Cox Cable c.c.c.c our assigned address
interface Ethernet3
 speed 100
 duplex full
 nameif backup
 security-level 0
 ip address c.c.c.c m.m.m.m
global (outside) 10 interface
global (backup) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10
access-group outside_access_in in interface outside
access-group backup_access_in in interface backup
route outside w.w.w.gateway 1 track 1
route backup c.c.c.gateway 244
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 5
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 client-firewall none
 client-access-rule none
! winside is an address inside Widomaker (our primary ISP)
sla monitor 123
 type echo protocol ipIcmpEcho w.w.w.winside interface outside
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set fast ...
crypto dynamic-map dynmap 20 set transform-set fast
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto map mymap interface backup
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable backup
crypto isakmp policy 10
 authentication pre-share
 encryption ...
 hash ...
 group .
 lifetime none
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  60
track 1 rtr 123 reachability
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key SharedSecret
telnet inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
management-access inside
priority-queue outside
priority-queue inside
class-map voip
 match dscp ef
class-map rtp2
 match rtp 51000 256
class-map rtp1
 match rtp 28000 256
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
policy-map qos
 class voip
 class rtp2
 class rtp1
 class class-default
service-policy global_policy global
Who is Participating?
Joseph HornseyPresident and JanitorCommented:
I'd try configuring your Dead Peer Detection differently.

Try this (on the 871's):

Change the preferred peer to "set peer w.w.w.w default".
Change the keep-alives to "crypto isakmp keepalive 10 on-demand" (You may not have to specify the number of seconds if it's on-demand vs. periodic... I can't remember off the top of my head)
Change the SA idletime to "set security-association idletime 120 default"

Let me know if that works.

GLGARRISONAuthor Commented:
Thanks, SplinterCell5894.

Great catch on the preferred peer syntax. I agree, something's keeping dpd from doing it's job (probably me).

I'll try and report back. It's the production system (wish I had a some spare hardware to test with) so it'll take a maintenance interval to change and test.

Best regards,
Joseph HornseyPresident and JanitorCommented:

Nah.  Just do it anyway and then tell them your phone company dropped a line (or there were sun spots which caused interference with communications satellites or something else that sounds really technical).  :)

Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

GLGARRISONAuthor Commented:
:-) Woohoo, it works! Way to go eagle eye SplinterCell5894!

Oh yeah, today was a really bad day for sunspots... good thing they didn't last long!

It's ok to accept a comment as an answer, isn't it? Or is there another protocol.
Darned, and I thought it was going to be a hard one. Had me stumped!
Joseph HornseyPresident and JanitorCommented:
Nope.... I think you actually have to select an answer to accept.  Then you give it a grade.

If you look on the right side of the screen next to the correct posted answer, you'll see a button that says "Accept".

Then, you give a grade A, B or C.  The grade you give determines the amount of points awarded.

Glad that worked for you!!!


Joseph HornseyPresident and JanitorCommented:

By the way...

Here's a great web site for you:

You can actually subscribe to an RSS feed which gives you the Excuse of the Day.  Here are the last few:

failure of the AE-35 unit
neutrino interactions
solar flares
the lack of an American work ethic
tsunamis in the wave-division multiplexer
a squirrel chewed through the cables
an incorrectly polarized packet accelerator
nobody forwarded that memo
line noise from rats in the wall
La Nina

I like La Nina, solar flares and the incorrectly polarized packet accelerator,  :)


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.