Cisco multi-gateway routing problem: ASA5505's and 1841's, MPLS, Tunnels

Posted on 2013-05-16
Last Modified: 2013-08-13
Refer to the attached diagram for a conceptual diagram of the network.

Sorry for the long post - trying to get as many details in as possible.

ASA's have a tunnel between them.  High speed cable network.
1841's connected in MPLS. 1.5mb T1's
All Internet-destined traffic must go out the MPLS routers (to 3rd party filtering host).  Only inter-branch traffic over the ASA-ASA tunnel can leave the ASA's.

ASA's have an SLA monitor on the outside, with failover to the 1841.
route outside <isp>  1 track 1
route inside 2

The 1841's are not in my control, and only route the internal LAN's.

The remote station ( gateway points to the remote ASA inside (

The Terminal Server ( has it's gateway set to the MPLS router, with static routes to specific remote IP's pointing to the ASA1 (route 1921.68.1.254), forcing traffic to the remote host over the ASA-ASA tunnel.

The problem is when the tunnel drops (e.g., either side loses connectivity to ISP).

The SLA is working, and the route outside is removed, leaving the default route set to the MPLS router.

However, the remote client cannot make an RDP connection to the server.  I can ping in both directions just fine.  

I believe the problem is described here (, basically, the ASA handles ICMP redirection, but non-ICMP packets are lost due to the path of the SYN packets.  

That is - the remote client initiates a 3389tcp connection to via (ASA2)
ASA2's SLA monitor has dropped the route outside, and sends the packet to 1841-2, over the MPLS, and pops out on 1841-1 to hit the Server.  
The Server, however, has a route to directed to ASA1, so the return packet gets sent to ASA1.
ASA1 drops the packet since it never saw the first packet from the remote host.

If I change the default gateway on Server to ASA1, then Internet traffic goes out the ASA, which violates the corporate policy.


How can I achieve failover on the ASA tunnel, and still maintain connectivity.
Question by:snowdog_2112
  • 6
  • 3
  • 2
LVL 11

Expert Comment

ID: 39173242
What is the device sitting behind the ASAs?

And, if I understand your question correctly, you want the ASA to turn around and establish the VPN Tunnel through its inside interface if its outside interface is not available; correct?
LVL 11

Assisted Solution

naderz earned 500 total points
ID: 39173253
One quick thought is to connect the 1841s on the outside of the ASAs and control routing within the ASA as you have above. For the tunnel, the ASAs will then be able to use the 1841 path if necessary.
LVL 20

Expert Comment

ID: 39174738
I think the best choice would be to use a Layer3 switch as a gateway between clients and ASA/1841. You can then use dynamic routing to have the L3 switch determine which direction traffic needs to go. This way, traffic that can't go through the ASA never will and you won't have to deal with asynchronous traffic flows. This method is sometimes easier said than done.

Another method would be tcp state bypass. This is more of a bandaid than a good solution because the state bypass is set per interface and doesn't care about what routes are active so you would be bypassing state inspection at all times.
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.


Author Comment

ID: 39175456
naderz - your suggestion is intruiging.

Is it possible (referring to the diagram) to build a tunnel sourced on the *INSIDE* interface?

Or am I combining the 2 suggestions above and moving the ASA *betwee* the LAN and the 1841 and simply treating it as a dual WAN configuration?!?!

Hmmm...the dual WAN may be the least CF'd solution.
LVL 11

Assisted Solution

naderz earned 500 total points
ID: 39175633
If I understand your objective correctly, the dual WAN solution would work. If you can place the 1841 after the ASA as an another "outside" interface, then you can have the following configs.

1. Create new network for connecting the ASA and 1841 on the outside of ASA. Let's say with security level 0 and your existing connection to isp can be security level 1.

2. Have your inside network point to the ASA as default gateway.

3. On the ASA have a default route pointing to the 1841. This will take care of your Internet connections, etc.

route outside2 "New IP address of 1841 on the network between ASA and 1841"

4. On the ASA have two static routes (similar to what you have now) as follows:
route outside1 <isp>  1 track 1
route outside2 "New IP address of 1841 on the network between ASA and 1841" 2

5. You will need to make sure that all appropriate VPN, ACLs, and NATs configs are in place between the outside and inside interfaces. It will take a little effort, but it's worth it.

I think I have covered all the steps. That should work allowing the ASA to track connections as they go in and out between your two sites.

Author Comment

ID: 39181268
I am putting together that plan today to see if there is something that will poke me in the eye.

I think the solution will work, but I'll have to test it at one location first (there are 8 total).

I will report back - probably not til later this week.  Thanks in advance!!!!!!!!
LVL 20

Expert Comment

ID: 39181581
One thing to keep in mind is that if you put the 1841 behind the ASA you end up with a single point of failure. If the ASA blows a power supply or some other major failure, both connections to WAN and internet are inaccessible. Naderz solution does seem to allow for failover in the event that either WAN/internet connection fails or if the 1841 fails, but without redundant ASA's the firewall becomes a single point of failure.

Author Comment

ID: 39186008
I'm not looking to eliminate SPOF - the ASA and 2nd WAN was added for throughput, not redundancy.  We were running with SPOF on the 1841 until the ASA was added.

The ASA and cable link is admittedly less stable than the MPLS, but faster.  I am trying to provide for connectivity failover for the (all-too-often, it seems) cable ISP drops.

But I do agree with your sentiment, and it is duly noted.  Thanks!

Author Comment

ID: 39307968
still waiting for a window to test this...thanks.

Accepted Solution

snowdog_2112 earned 0 total points
ID: 39393569
Got this to work using the ASA as a single gateway.

Note: it requires Security+ license on the ASA.

This link describes it very nicely:

Here is the overview:
Create 2 outside interfaces.
Set route on each interface, with primary ISP having lower metric and a "track [n]"
configure "sla monitor [z]" to monitor an IP out the primary ISP.
configure "track [n]" for sla [z].

The sla will ping the IP you specify.  If the ping drops, the route for ISP 1 is removed, making the route for ISP 2 the de-facto default route.

When ISP 1 pings again, the route is added back with a lower metric than ISP 2, taking over the default.

I recommend something past the ISP gateway - I've found that pinging an ISP device physically in the location may not accurately identify a dropped link.  That is, if you're pinging the cable modem sitting next to the ASA, that won't tell you if the coax beyond the modem is down.

Author Closing Comment

ID: 39404138
Follow the link in my comment for an actual config example.

Works well - I drop one ping and the link switches, and the tunnel is up on the 2nd ISP.


Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question