[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Cisco multi-gateway routing problem: ASA5505's and 1841's, MPLS, Tunnels

Posted on 2013-05-16
11
Medium Priority
?
605 Views
Last Modified: 2013-08-13
Refer to the attached diagram for a conceptual diagram of the network.

Sorry for the long post - trying to get as many details in as possible.

The SETUP:
ASA's have a tunnel between them.  High speed cable network.
1841's connected in MPLS. 1.5mb T1's
All Internet-destined traffic must go out the MPLS routers (to 3rd party filtering host).  Only inter-branch traffic over the ASA-ASA tunnel can leave the ASA's.

ASA's have an SLA monitor on the outside, with failover to the 1841.
route outside 0.0.0.0 0.0.0.0 <isp>  1 track 1
route inside 0.0.0.0 0.0.0.0 192.168.1.1 2

The 1841's are not in my control, and only route the internal LAN's.

The remote station (192.168.2.50) gateway points to the remote ASA inside (192.168.2.254).

Currently:
The Terminal Server (192.168.1.10) has it's gateway set to the MPLS router, with static routes to specific remote IP's pointing to the ASA1 (route 192.168.2.50 255.255.255.255 1921.68.1.254), forcing traffic to the remote host over the ASA-ASA tunnel.

The PROBLEM:
The problem is when the tunnel drops (e.g., either side loses connectivity to ISP).

The SLA is working, and the route outside is removed, leaving the default route set to the MPLS router.

However, the remote client cannot make an RDP connection to the server.  I can ping in both directions just fine.  

I believe the problem is described here (http://www.8-p.org/wiki/doku.php?id=asahairpinning), basically, the ASA handles ICMP redirection, but non-ICMP packets are lost due to the path of the SYN packets.  

That is - the remote client initiates a 3389tcp connection to 192.168.1.10 via 192.168.2.254 (ASA2)
ASA2's SLA monitor has dropped the route outside, and sends the packet to 1841-2, over the MPLS, and pops out on 1841-1 to hit the Server.  
The Server, however, has a route to 192.168.2.50 directed to ASA1, so the return packet gets sent to ASA1.
ASA1 drops the packet since it never saw the first packet from the remote host.

If I change the default gateway on Server to ASA1, then Internet traffic goes out the ASA, which violates the corporate policy.

The QUESTION:

How can I achieve failover on the ASA tunnel, and still maintain connectivity.
WAN-conceptual-simplified.2013-0.jpg
0
Comment
Question by:snowdog_2112
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
11 Comments
 
LVL 11

Expert Comment

by:naderz
ID: 39173242
What is the device sitting behind the ASAs?

And, if I understand your question correctly, you want the ASA to turn around and establish the VPN Tunnel through its inside interface if its outside interface is not available; correct?
0
 
LVL 11

Assisted Solution

by:naderz
naderz earned 2000 total points
ID: 39173253
One quick thought is to connect the 1841s on the outside of the ASAs and control routing within the ASA as you have above. For the tunnel, the ASAs will then be able to use the 1841 path if necessary.
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39174738
I think the best choice would be to use a Layer3 switch as a gateway between clients and ASA/1841. You can then use dynamic routing to have the L3 switch determine which direction traffic needs to go. This way, traffic that can't go through the ASA never will and you won't have to deal with asynchronous traffic flows. This method is sometimes easier said than done.

Another method would be tcp state bypass. This is more of a bandaid than a good solution because the state bypass is set per interface and doesn't care about what routes are active so you would be bypassing state inspection at all times.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:snowdog_2112
ID: 39175456
naderz - your suggestion is intruiging.

Is it possible (referring to the diagram) to build a tunnel sourced on the *INSIDE* interface?

Or am I combining the 2 suggestions above and moving the ASA *betwee* the LAN and the 1841 and simply treating it as a dual WAN configuration?!?!

Hmmm...the dual WAN may be the least CF'd solution.
0
 
LVL 11

Assisted Solution

by:naderz
naderz earned 2000 total points
ID: 39175633
If I understand your objective correctly, the dual WAN solution would work. If you can place the 1841 after the ASA as an another "outside" interface, then you can have the following configs.

1. Create new network for connecting the ASA and 1841 on the outside of ASA. Let's say with security level 0 and your existing connection to isp can be security level 1.

2. Have your inside network point to the ASA as default gateway.

3. On the ASA have a default route pointing to the 1841. This will take care of your Internet connections, etc.

route outside2 0.0.0.0 0.0.0.0 "New IP address of 1841 on the network between ASA and 1841"

4. On the ASA have two static routes (similar to what you have now) as follows:
route outside1 192.168.2.0 255.255.255.0 <isp>  1 track 1
route outside2 192.168.2.0 255.255.255.0 "New IP address of 1841 on the network between ASA and 1841" 2

5. You will need to make sure that all appropriate VPN, ACLs, and NATs configs are in place between the outside and inside interfaces. It will take a little effort, but it's worth it.

I think I have covered all the steps. That should work allowing the ASA to track connections as they go in and out between your two sites.
0
 

Author Comment

by:snowdog_2112
ID: 39181268
I am putting together that plan today to see if there is something that will poke me in the eye.

I think the solution will work, but I'll have to test it at one location first (there are 8 total).

I will report back - probably not til later this week.  Thanks in advance!!!!!!!!
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39181581
One thing to keep in mind is that if you put the 1841 behind the ASA you end up with a single point of failure. If the ASA blows a power supply or some other major failure, both connections to WAN and internet are inaccessible. Naderz solution does seem to allow for failover in the event that either WAN/internet connection fails or if the 1841 fails, but without redundant ASA's the firewall becomes a single point of failure.
0
 

Author Comment

by:snowdog_2112
ID: 39186008
I'm not looking to eliminate SPOF - the ASA and 2nd WAN was added for throughput, not redundancy.  We were running with SPOF on the 1841 until the ASA was added.

The ASA and cable link is admittedly less stable than the MPLS, but faster.  I am trying to provide for connectivity failover for the (all-too-often, it seems) cable ISP drops.

But I do agree with your sentiment, and it is duly noted.  Thanks!
0
 

Author Comment

by:snowdog_2112
ID: 39307968
still waiting for a window to test this...thanks.
0
 

Accepted Solution

by:
snowdog_2112 earned 0 total points
ID: 39393569
Got this to work using the ASA as a single gateway.

Note: it requires Security+ license on the ASA.

This link describes it very nicely: http://www.petenetlive.com/KB/Article/0000544.htm

Here is the overview:
Create 2 outside interfaces.
Set route on each interface, with primary ISP having lower metric and a "track [n]"
configure "sla monitor [z]" to monitor an IP out the primary ISP.
configure "track [n]" for sla [z].

The sla will ping the IP you specify.  If the ping drops, the route for ISP 1 is removed, making the route for ISP 2 the de-facto default route.

When ISP 1 pings again, the route is added back with a lower metric than ISP 2, taking over the default.

I recommend something past the ISP gateway - I've found that pinging an ISP device physically in the location may not accurately identify a dropped link.  That is, if you're pinging the cable modem sitting next to the ASA, that won't tell you if the coax beyond the modem is down.
0
 

Author Closing Comment

by:snowdog_2112
ID: 39404138
Follow the link in my comment for an actual config example.

Works well - I drop one ping and the link switches, and the tunnel is up on the 2nd ISP.

AWESOME!
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question