Solved

ASA dual ISP routing issue

Posted on 2013-01-07
10
838 Views
Last Modified: 2013-01-07
We have a 5510 configured with dual ISP's, one primary and one backup.  We are using tracked routes for failover which is working fine. We also have a 5505 that we use for our public network access both public wireless and 802.1x on our wired switches. We are using our backup ISP to supply internet access to the 5505. We use one of our backup ISP's static IP's for our 5510 backup interface and one for the outside interface on the 5505. Both of these public IP's use the same default gateway. The problem is that when we try to establish a VPN connection to the 5510 from our public network (Backup ISP,) we are not successful. Its seems that the packets are reaching the 5510 but aren't being returned. When I disable the backup interface on the 5510, everything works fine. Any insight into this issue would be greatly appreciated.

Thanks
0
Comment
Question by:rm250motox
  • 4
  • 4
  • 2
10 Comments
 
LVL 18

Expert Comment

by:Akinsd
ID: 38752999
Consider implementing HSRP, VRRP or GLBP redundancy

HSRP is Cisco proprietary protocol
VRRP is standard accross the board
GLBP lets you load balance but is only available on newer IOS (and routers)

GLBP is the best option if you have newer Cisco routers and your IOS supports it

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_glbp.html
0
 

Author Comment

by:rm250motox
ID: 38753050
I would love to implement proper fail over and redundancy, unfortunately, we do not yet have a router in front of our ASA.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 38753061
Most L3 switches support it too.
0
 

Author Comment

by:rm250motox
ID: 38753063
Are you saying the only solution to my problem is to not use the ASA for ISP failover?
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 38753068
You can setup a NAT pool and configure static NAT

GLBP just give you the ability to use both connections simultaneously (speed and bandwidth gain)
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:rm250motox
ID: 38753078
What would the static NAT look like?
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 38753089
The problem is most likely routing, but not obvious when you haven't been through this before. When you vpn from a guest device, it probably nats to an ip on the backup ISP subnet. When the VPN is initiated, the destination is the primary public ip, and the source is within the backup interface's range. This means that the Asa has no choice but to respond to the packet by using the backup interface because it has the subnet locally defined. As a result, the destination ip doesn't match the ip used for the response. Everything works with the backup interface shut down because it's not able to do the mismatch.
As long as the 5505 is not connected behind the 5510, I would do one of two things. Set the VPN profile to use the backup interface instead of the primary, or change the profile to have a backup server which is your backup interface. There will be a delay when doing the backup server method, but in the end it should work. Make sure you have VPN enabled on the 5510 backup interface.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 38753090
Static NAT is a form of port forwarding.

Check out the following links (forum and video)

https://supportforums.cisco.com/thread/346274

http://www.youtube.com/watch?v=YqBqwGfOmsY
0
 

Author Closing Comment

by:rm250motox
ID: 38753127
I should've tried that in the first place. I imagine this only works because the device trying to establish a VPN is behind the same default gateway as the backup interface?
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38753148
Yep.

I suppose another possible reason for the issue isn't routing but rpf-check (reverse path forwarding check). Essentially a packet is dropped if it's received on an interface that shouldn't ever receive the packet. In your case the primary interface drops a packet that's sourced from the backup interface's subnet because it suggests a loop or an attack. I would have to run packet tracer to see the real reason... Routing or rpf.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now