Solved

Cisco multi-gateway routing problem: ASA5505's and 1841's, MPLS, Tunnels

Posted on 2013-05-16
11
579 Views
Last Modified: 2013-08-13
Refer to the attached diagram for a conceptual diagram of the network.

Sorry for the long post - trying to get as many details in as possible.

The SETUP:
ASA's have a tunnel between them.  High speed cable network.
1841's connected in MPLS. 1.5mb T1's
All Internet-destined traffic must go out the MPLS routers (to 3rd party filtering host).  Only inter-branch traffic over the ASA-ASA tunnel can leave the ASA's.

ASA's have an SLA monitor on the outside, with failover to the 1841.
route outside 0.0.0.0 0.0.0.0 <isp>  1 track 1
route inside 0.0.0.0 0.0.0.0 192.168.1.1 2

The 1841's are not in my control, and only route the internal LAN's.

The remote station (192.168.2.50) gateway points to the remote ASA inside (192.168.2.254).

Currently:
The Terminal Server (192.168.1.10) has it's gateway set to the MPLS router, with static routes to specific remote IP's pointing to the ASA1 (route 192.168.2.50 255.255.255.255 1921.68.1.254), forcing traffic to the remote host over the ASA-ASA tunnel.

The PROBLEM:
The problem is when the tunnel drops (e.g., either side loses connectivity to ISP).

The SLA is working, and the route outside is removed, leaving the default route set to the MPLS router.

However, the remote client cannot make an RDP connection to the server.  I can ping in both directions just fine.  

I believe the problem is described here (http://www.8-p.org/wiki/doku.php?id=asahairpinning), basically, the ASA handles ICMP redirection, but non-ICMP packets are lost due to the path of the SYN packets.  

That is - the remote client initiates a 3389tcp connection to 192.168.1.10 via 192.168.2.254 (ASA2)
ASA2's SLA monitor has dropped the route outside, and sends the packet to 1841-2, over the MPLS, and pops out on 1841-1 to hit the Server.  
The Server, however, has a route to 192.168.2.50 directed to ASA1, so the return packet gets sent to ASA1.
ASA1 drops the packet since it never saw the first packet from the remote host.

If I change the default gateway on Server to ASA1, then Internet traffic goes out the ASA, which violates the corporate policy.

The QUESTION:

How can I achieve failover on the ASA tunnel, and still maintain connectivity.
WAN-conceptual-simplified.2013-0.jpg
0
Comment
Question by:snowdog_2112
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
11 Comments
 
LVL 11

Expert Comment

by:naderz
ID: 39173242
What is the device sitting behind the ASAs?

And, if I understand your question correctly, you want the ASA to turn around and establish the VPN Tunnel through its inside interface if its outside interface is not available; correct?
0
 
LVL 11

Assisted Solution

by:naderz
naderz earned 500 total points
ID: 39173253
One quick thought is to connect the 1841s on the outside of the ASAs and control routing within the ASA as you have above. For the tunnel, the ASAs will then be able to use the 1841 path if necessary.
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39174738
I think the best choice would be to use a Layer3 switch as a gateway between clients and ASA/1841. You can then use dynamic routing to have the L3 switch determine which direction traffic needs to go. This way, traffic that can't go through the ASA never will and you won't have to deal with asynchronous traffic flows. This method is sometimes easier said than done.

Another method would be tcp state bypass. This is more of a bandaid than a good solution because the state bypass is set per interface and doesn't care about what routes are active so you would be bypassing state inspection at all times.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:snowdog_2112
ID: 39175456
naderz - your suggestion is intruiging.

Is it possible (referring to the diagram) to build a tunnel sourced on the *INSIDE* interface?

Or am I combining the 2 suggestions above and moving the ASA *betwee* the LAN and the 1841 and simply treating it as a dual WAN configuration?!?!

Hmmm...the dual WAN may be the least CF'd solution.
0
 
LVL 11

Assisted Solution

by:naderz
naderz earned 500 total points
ID: 39175633
If I understand your objective correctly, the dual WAN solution would work. If you can place the 1841 after the ASA as an another "outside" interface, then you can have the following configs.

1. Create new network for connecting the ASA and 1841 on the outside of ASA. Let's say with security level 0 and your existing connection to isp can be security level 1.

2. Have your inside network point to the ASA as default gateway.

3. On the ASA have a default route pointing to the 1841. This will take care of your Internet connections, etc.

route outside2 0.0.0.0 0.0.0.0 "New IP address of 1841 on the network between ASA and 1841"

4. On the ASA have two static routes (similar to what you have now) as follows:
route outside1 192.168.2.0 255.255.255.0 <isp>  1 track 1
route outside2 192.168.2.0 255.255.255.0 "New IP address of 1841 on the network between ASA and 1841" 2

5. You will need to make sure that all appropriate VPN, ACLs, and NATs configs are in place between the outside and inside interfaces. It will take a little effort, but it's worth it.

I think I have covered all the steps. That should work allowing the ASA to track connections as they go in and out between your two sites.
0
 

Author Comment

by:snowdog_2112
ID: 39181268
I am putting together that plan today to see if there is something that will poke me in the eye.

I think the solution will work, but I'll have to test it at one location first (there are 8 total).

I will report back - probably not til later this week.  Thanks in advance!!!!!!!!
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39181581
One thing to keep in mind is that if you put the 1841 behind the ASA you end up with a single point of failure. If the ASA blows a power supply or some other major failure, both connections to WAN and internet are inaccessible. Naderz solution does seem to allow for failover in the event that either WAN/internet connection fails or if the 1841 fails, but without redundant ASA's the firewall becomes a single point of failure.
0
 

Author Comment

by:snowdog_2112
ID: 39186008
I'm not looking to eliminate SPOF - the ASA and 2nd WAN was added for throughput, not redundancy.  We were running with SPOF on the 1841 until the ASA was added.

The ASA and cable link is admittedly less stable than the MPLS, but faster.  I am trying to provide for connectivity failover for the (all-too-often, it seems) cable ISP drops.

But I do agree with your sentiment, and it is duly noted.  Thanks!
0
 

Author Comment

by:snowdog_2112
ID: 39307968
still waiting for a window to test this...thanks.
0
 

Accepted Solution

by:
snowdog_2112 earned 0 total points
ID: 39393569
Got this to work using the ASA as a single gateway.

Note: it requires Security+ license on the ASA.

This link describes it very nicely: http://www.petenetlive.com/KB/Article/0000544.htm

Here is the overview:
Create 2 outside interfaces.
Set route on each interface, with primary ISP having lower metric and a "track [n]"
configure "sla monitor [z]" to monitor an IP out the primary ISP.
configure "track [n]" for sla [z].

The sla will ping the IP you specify.  If the ping drops, the route for ISP 1 is removed, making the route for ISP 2 the de-facto default route.

When ISP 1 pings again, the route is added back with a lower metric than ISP 2, taking over the default.

I recommend something past the ISP gateway - I've found that pinging an ISP device physically in the location may not accurately identify a dropped link.  That is, if you're pinging the cable modem sitting next to the ASA, that won't tell you if the coax beyond the modem is down.
0
 

Author Closing Comment

by:snowdog_2112
ID: 39404138
Follow the link in my comment for an actual config example.

Works well - I drop one ping and the link switches, and the tunnel is up on the 2nd ISP.

AWESOME!
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Resource timeout across a VPN 9 60
Cisco Anyconnect for Android 6 58
Advice on router and switch 25 79
pfsense upgrade from 2.2.6 to 2.3.3 28 76
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question