d4nnyo
asked on
ASA 5510: L2L tunnel not failing over
At one time, we had a working failover L2L tunnel between  two ASA 5510s, SITEA and SITEB, sanitized and posted below.
We presently have a functioning primary L2L tunnel between SITEA and SITEB. When the primary "outside" interface connection to the Internet fails, the "Failover" interface DOES provide Internet. However, it DOES NOT provide an L2L tunnel.
This line would indicate that SITEB is aware of the "Failover" interface at SITEA:
crypto map outside_map 110 set peer 72.72.72.72 93.93.93.93
Also, there is a SITEA tunnel group for the SITEA failover interface in the SITEB config (see below).
What is missing from the SITEB config that is not allowing the SITEA failover interface to map the tunnel when SITEA's Outside interface goes down?
**************
SITEA CONFIG
SITEA# show run
: Saved
:
: Hardware: Â ASA5510
:
ASA Version 8.2(5)59
!
hostname SITEA
enable password
passwd
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 72.72.72.72 255.255.255.248
!
interface Ethernet0/1
 nameif failover
 security-level 0
 ip address 93.93.93.93 255.255.255.252
!
interface Ethernet0/2
 nameif Inside
 security-level 100
 ip address 10.10.60.1 255.255.255.0
!
interface Ethernet0/3
 nameif Voice
 security-level 50
 ip address 10.10.70.2 255.255.255.0
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
!
boot system disk0:/asa825-59-k8.bin
ftp mode passive
clock timezone
clock summer-time recurring
dns domain-lookup outside
dns domain-lookup failover
dns domain-lookup Inside
dns domain-lookup Voice
dns domain-lookup management
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.8.8
 name-server 8.8.8.8
object-group network
 network-object host 93.93.93.93
access-list no-nat extended permit ip 10.10.60.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list no-nat extended permit ip 10.10.60.0 255.255.255.0 10.10.40.0 255.255.255.0
access-list split-tunnel extended permit ip 10.10.60.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list inside-out extended permit ip any any
access-list outside-in extended permit ip any any
access-list outside-in extended permit tcp object-group security-system object-group security-protocol object-group Â
access-list voice-in extended permit ip any any
access-list failover-in extended permit ip any any
access-list SITEB extended permit ip 10.10.60.0 255.255.255.0 10.10.40.0 255.255.255.0
pager lines 24
logging enable
logging monitor informational
logging asdm informational
mtu outside 1500
mtu failover 1500
mtu Inside 1500
mtu Voice 1500
mtu management 1500
ip local pool RemoteVPNpool 192.168.80.50-192.168.80.1
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (failover) 1 interface
global (Voice) 1 interface
nat (failover) 0 access-list no-nat
nat (failover) 0 0.0.0.0 0.0.0.0
nat (Inside) 0 access-list no-nat
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (Voice) 1 0.0.0.0 0.0.0.0
access-group outside-in in interface outside
access-group failover-in in interface failover
access-group inside-out in interface Inside
access-group voice-in in interface Voice
!
router eigrp 1000
 network 10.0.0.0 255.0.0.0
!
route outside 0.0.0.0 0.0.0.0 72.72.72.71 1 track 1
route failover 0.0.0.0 0.0.0.0 93.93.93.91 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.10.60.0 255.255.255.0 Inside
http 192.168.80.0 255.255.255.0 Inside
sla monitor 123
 type echo protocol ipIcmpEcho 72.72.72.71 interface outside
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 110 match address SITEB
crypto map outside_map 110 set peer 42.42.42.42
crypto map outside_map 110 set transform-set ESP-3DES-SHA
crypto map outside_map 120 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map outside_map 130 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map failover_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map failover_map interface failover
crypto isakmp enable outside
crypto isakmp enable failover
crypto isakmp policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 10.10.60.0 255.255.255.0 Inside
ssh 0.0.0.0 0.0.0.0 Inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
ssh version 2
console timeout 0
management-access Inside
dhcp-client client-id interface Voice
dhcpd dns 8.8.8.8 8.8.8.8
!
dhcpd address 10.10.60.100-10.10.60.200 Inside
dhcpd dns 8.8.8.8 interface Inside
dhcpd enable Inside
!
dhcpd address 10.10.70.100-10.10.70.200 Voice
dhcpd dns 8.8.8.8 Â interface Voice
dhcpd enable Voice
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
username etc. etc.
tunnel-group 42.42.42.42 type ipsec-l2l
tunnel-group 42.42.42.42 ipsec-attributes
 pre-shared-key !!
!
class-map inspection_default
 match default-inspection-traffic
!
! Â Â Â Â Â Â
policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
 message-length maximum 512
policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect rsh
 inspect rtsp
 inspect esmtp
 inspect sqlnet
 inspect skinny Â
 inspect sunrpc
 inspect xdmcp
 inspect sip Â
 inspect netbios
 inspect tftp
 inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
:end
*******
SITEB CONFIG
SITEB# show run
: Saved
:
: Hardware: Â ASA5510
:
ASA Version 8.4(7)31
!
hostname SITEB
enable password
passwd
names
name Svc_1
name Svc_1-failover
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 42.42.42.42 255.255.255.248 standby
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.40.251 255.255.255.0 standby
!
interface Ethernet0/2
 shutdown  Â
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 description LAN Failover Interface
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
!
boot system disk0:/asa847-31-k8.bin
ftp mode passive
clock timezone
clock summer-time recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
object network obj-10.10.40.0
 subnet 10.10.40.0 255.255.255.0
object network obj-192.168.85.0
 subnet 192.168.85.0 255.255.255.0
object network obj-10.10.60.0
 subnet 10.10.60.0 255.255.255.0
object network obj-10.10.40.1
 host 10.10.40.1
object network obj-10.10.40.1-01
 host 10.10.40.1
object network obj-10.10.40.1-02
 host 10.10.40.1
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Obj_10.10.40.5
 host 10.10.40.5
object network Obj_
 host
object network obj-10.10.45.0
 subnet 10.10.45.0 255.255.255.0
object-group network PublicSMTPServers
 network-object host Svc_1
 network-object host Svc_1-failover
access-list no-nat extended permit ip 10.10.40.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list no-nat extended permit ip 10.10.40.0 255.255.255.0 10.10.60.0 255.255.255.0
access-list no-nat extended permit ip 10.10.40.0 255.255.255.0 10.10.80.0 255.255.255.0
access-list no-nat extended permit ip 10.10.40.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list no-nat extended permit ip 10.10.40.0 255.255.255.0 192.168.240.0 255.255.255.0
access-list no-nat extended permit ip 10.10.40.0 255.255.255.0 10.10.100.0 255.255.255.0
access-list split-tunnel extended permit ip 10.10.40.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list inside-out extended permit ip any any
access-list ClientName extended permit ip 10.10.40.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list ClientName extended permit ip host 10.10.40.5 host Â
access-list ClientNameSITEA extended permit ip 10.10.40.0 255.255.255.0 10.10.60.0 255.255.255.0
access-list ClientName extended permit ip 10.10.40.0 255.255.255.0 192.168.240.0 255.255.255.0
access-list outside-in extended permit icmp any any
access-list outside-in extended deny ip any any
access-list SplitTunnelNetworks standard permit 10.10.40.0 255.255.255.0
access-list  extended permit ip 10.10.40.0 255.255.255.0 10.10.100.0 255.255.255.0
pager lines 24
logging enable
logging monitor debugging
logging trap debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool RemoteVPNpool 192.168.85.50-192.168.85.2
failover
failover lan unit primary
failover lan interface failover Ethernet0/3
failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static obj-10.10.40.0 obj-10.10.40.0 destination static obj-192.168.85.0 obj-192.168.85.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.10.40.0 obj-10.10.40.0 destination static obj-10.10.60.0 obj-10.10.60.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.10.40.0 obj-10.10.40.0 destination static obj-10.10.80.0 obj-10.10.80.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.10.40.0 obj-10.10.40.0 destination static obj-10.0.20.0 obj-10.0.20.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.10.40.0 obj-10.10.40.0 destination static obj-192.168.240.0 obj-192.168.240.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.10.40.0 obj-10.10.40.0 destination static obj-10.10.100.0 obj-10.10.100.0 no-proxy-arp route-lookup
nat (inside,outside) source static Obj_10.10.40.5 Obj_10.10.40.5 destination static Obj_ Obj_
!
object network obj-10.10.40.1
 nat (inside,outside) static interface service tcp smtp smtp
object network obj-10.10.40.1-01
 nat (inside,outside) static interface service tcp www www
object network obj-10.10.40.1-02
 nat (inside,outside) static interface service tcp https https
object network obj_any
 nat (inside,outside) dynamic interface
access-group outside-in in interface outside
access-group inside-out in interface inside
route outside 0.0.0.0 0.0.0.0 42.42.42.41 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 172.168.16.0 255.255.255.0 management
http 10.10.60.0 255.255.255.0 inside
http 10.10.80.0 255.255.255.0 inside
http 10.10.40.0 255.255.255.0 inside
http 10.10.100.0 255.255.255.0 inside
http 192.168.85.0 255.255.255.0 inside
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 100 match address ClientName
crypto map outside_map 110 match address ClientNameSITEA
crypto map outside_map 110 set peer 72.72.72.72 93.93.93.93
crypto map outside_map 110 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 120 match address ClientName
crypto map outside_map 150 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha  Â
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha  Â
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha  Â
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 10.10.60.0 255.255.255.0 inside
ssh 10.10.80.0 255.255.255.0 inside
ssh 10.10.40.0 255.255.255.0 inside
ssh 10.0.20.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
group-policy ezvpnclient internal
group-policy ezvpnclient attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SplitTunnelNetworks
 nem enable
username etc
tunnel-group 93.93.93.93 type ipsec-l2l
tunnel-group 93.93.93.93 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 72.72.72.72 type ipsec-l2l
tunnel-group 72.72.72.72 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
 message-length maximum 512
policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map
 inspect ftp
 inspect rsh
 inspect rtsp
 inspect sqlnet
 inspect skinny Â
 inspect sunrpc
 inspect xdmcp
 inspect sip Â
 inspect netbios
 inspect tftp
 inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end
We presently have a functioning primary L2L tunnel between SITEA and SITEB. When the primary "outside" interface connection to the Internet fails, the "Failover" interface DOES provide Internet. However, it DOES NOT provide an L2L tunnel.
This line would indicate that SITEB is aware of the "Failover" interface at SITEA:
crypto map outside_map 110 set peer 72.72.72.72 93.93.93.93
Also, there is a SITEA tunnel group for the SITEA failover interface in the SITEB config (see below).
What is missing from the SITEB config that is not allowing the SITEA failover interface to map the tunnel when SITEA's Outside interface goes down?
**************
SITEA CONFIG
SITEA# show run
: Saved
:
: Hardware: Â ASA5510
:
ASA Version 8.2(5)59
!
hostname SITEA
enable password
passwd
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 72.72.72.72 255.255.255.248
!
interface Ethernet0/1
 nameif failover
 security-level 0
 ip address 93.93.93.93 255.255.255.252
!
interface Ethernet0/2
 nameif Inside
 security-level 100
 ip address 10.10.60.1 255.255.255.0
!
interface Ethernet0/3
 nameif Voice
 security-level 50
 ip address 10.10.70.2 255.255.255.0
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
!
boot system disk0:/asa825-59-k8.bin
ftp mode passive
clock timezone
clock summer-time recurring
dns domain-lookup outside
dns domain-lookup failover
dns domain-lookup Inside
dns domain-lookup Voice
dns domain-lookup management
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.8.8
 name-server 8.8.8.8
object-group network
 network-object host 93.93.93.93
access-list no-nat extended permit ip 10.10.60.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list no-nat extended permit ip 10.10.60.0 255.255.255.0 10.10.40.0 255.255.255.0
access-list split-tunnel extended permit ip 10.10.60.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list inside-out extended permit ip any any
access-list outside-in extended permit ip any any
access-list outside-in extended permit tcp object-group security-system object-group security-protocol object-group Â
access-list voice-in extended permit ip any any
access-list failover-in extended permit ip any any
access-list SITEB extended permit ip 10.10.60.0 255.255.255.0 10.10.40.0 255.255.255.0
pager lines 24
logging enable
logging monitor informational
logging asdm informational
mtu outside 1500
mtu failover 1500
mtu Inside 1500
mtu Voice 1500
mtu management 1500
ip local pool RemoteVPNpool 192.168.80.50-192.168.80.1
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (failover) 1 interface
global (Voice) 1 interface
nat (failover) 0 access-list no-nat
nat (failover) 0 0.0.0.0 0.0.0.0
nat (Inside) 0 access-list no-nat
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (Voice) 1 0.0.0.0 0.0.0.0
access-group outside-in in interface outside
access-group failover-in in interface failover
access-group inside-out in interface Inside
access-group voice-in in interface Voice
!
router eigrp 1000
 network 10.0.0.0 255.0.0.0
!
route outside 0.0.0.0 0.0.0.0 72.72.72.71 1 track 1
route failover 0.0.0.0 0.0.0.0 93.93.93.91 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.10.60.0 255.255.255.0 Inside
http 192.168.80.0 255.255.255.0 Inside
sla monitor 123
 type echo protocol ipIcmpEcho 72.72.72.71 interface outside
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 110 match address SITEB
crypto map outside_map 110 set peer 42.42.42.42
crypto map outside_map 110 set transform-set ESP-3DES-SHA
crypto map outside_map 120 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map outside_map 130 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map failover_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map failover_map interface failover
crypto isakmp enable outside
crypto isakmp enable failover
crypto isakmp policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 10.10.60.0 255.255.255.0 Inside
ssh 0.0.0.0 0.0.0.0 Inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
ssh version 2
console timeout 0
management-access Inside
dhcp-client client-id interface Voice
dhcpd dns 8.8.8.8 8.8.8.8
!
dhcpd address 10.10.60.100-10.10.60.200 Inside
dhcpd dns 8.8.8.8 interface Inside
dhcpd enable Inside
!
dhcpd address 10.10.70.100-10.10.70.200 Voice
dhcpd dns 8.8.8.8 Â interface Voice
dhcpd enable Voice
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
username etc. etc.
tunnel-group 42.42.42.42 type ipsec-l2l
tunnel-group 42.42.42.42 ipsec-attributes
 pre-shared-key !!
!
class-map inspection_default
 match default-inspection-traffic
!
! Â Â Â Â Â Â
policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
 message-length maximum 512
policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect rsh
 inspect rtsp
 inspect esmtp
 inspect sqlnet
 inspect skinny Â
 inspect sunrpc
 inspect xdmcp
 inspect sip Â
 inspect netbios
 inspect tftp
 inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
:end
*******
SITEB CONFIG
SITEB# show run
: Saved
:
: Hardware: Â ASA5510
:
ASA Version 8.4(7)31
!
hostname SITEB
enable password
passwd
names
name Svc_1
name Svc_1-failover
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 42.42.42.42 255.255.255.248 standby
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.40.251 255.255.255.0 standby
!
interface Ethernet0/2
 shutdown  Â
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 description LAN Failover Interface
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
!
boot system disk0:/asa847-31-k8.bin
ftp mode passive
clock timezone
clock summer-time recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
object network obj-10.10.40.0
 subnet 10.10.40.0 255.255.255.0
object network obj-192.168.85.0
 subnet 192.168.85.0 255.255.255.0
object network obj-10.10.60.0
 subnet 10.10.60.0 255.255.255.0
object network obj-10.10.40.1
 host 10.10.40.1
object network obj-10.10.40.1-01
 host 10.10.40.1
object network obj-10.10.40.1-02
 host 10.10.40.1
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Obj_10.10.40.5
 host 10.10.40.5
object network Obj_
 host
object network obj-10.10.45.0
 subnet 10.10.45.0 255.255.255.0
object-group network PublicSMTPServers
 network-object host Svc_1
 network-object host Svc_1-failover
access-list no-nat extended permit ip 10.10.40.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list no-nat extended permit ip 10.10.40.0 255.255.255.0 10.10.60.0 255.255.255.0
access-list no-nat extended permit ip 10.10.40.0 255.255.255.0 10.10.80.0 255.255.255.0
access-list no-nat extended permit ip 10.10.40.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list no-nat extended permit ip 10.10.40.0 255.255.255.0 192.168.240.0 255.255.255.0
access-list no-nat extended permit ip 10.10.40.0 255.255.255.0 10.10.100.0 255.255.255.0
access-list split-tunnel extended permit ip 10.10.40.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list inside-out extended permit ip any any
access-list ClientName extended permit ip 10.10.40.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list ClientName extended permit ip host 10.10.40.5 host Â
access-list ClientNameSITEA extended permit ip 10.10.40.0 255.255.255.0 10.10.60.0 255.255.255.0
access-list ClientName extended permit ip 10.10.40.0 255.255.255.0 192.168.240.0 255.255.255.0
access-list outside-in extended permit icmp any any
access-list outside-in extended deny ip any any
access-list SplitTunnelNetworks standard permit 10.10.40.0 255.255.255.0
access-list  extended permit ip 10.10.40.0 255.255.255.0 10.10.100.0 255.255.255.0
pager lines 24
logging enable
logging monitor debugging
logging trap debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool RemoteVPNpool 192.168.85.50-192.168.85.2
failover
failover lan unit primary
failover lan interface failover Ethernet0/3
failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static obj-10.10.40.0 obj-10.10.40.0 destination static obj-192.168.85.0 obj-192.168.85.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.10.40.0 obj-10.10.40.0 destination static obj-10.10.60.0 obj-10.10.60.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.10.40.0 obj-10.10.40.0 destination static obj-10.10.80.0 obj-10.10.80.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.10.40.0 obj-10.10.40.0 destination static obj-10.0.20.0 obj-10.0.20.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.10.40.0 obj-10.10.40.0 destination static obj-192.168.240.0 obj-192.168.240.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.10.40.0 obj-10.10.40.0 destination static obj-10.10.100.0 obj-10.10.100.0 no-proxy-arp route-lookup
nat (inside,outside) source static Obj_10.10.40.5 Obj_10.10.40.5 destination static Obj_ Obj_
!
object network obj-10.10.40.1
 nat (inside,outside) static interface service tcp smtp smtp
object network obj-10.10.40.1-01
 nat (inside,outside) static interface service tcp www www
object network obj-10.10.40.1-02
 nat (inside,outside) static interface service tcp https https
object network obj_any
 nat (inside,outside) dynamic interface
access-group outside-in in interface outside
access-group inside-out in interface inside
route outside 0.0.0.0 0.0.0.0 42.42.42.41 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 172.168.16.0 255.255.255.0 management
http 10.10.60.0 255.255.255.0 inside
http 10.10.80.0 255.255.255.0 inside
http 10.10.40.0 255.255.255.0 inside
http 10.10.100.0 255.255.255.0 inside
http 192.168.85.0 255.255.255.0 inside
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 100 match address ClientName
crypto map outside_map 110 match address ClientNameSITEA
crypto map outside_map 110 set peer 72.72.72.72 93.93.93.93
crypto map outside_map 110 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 120 match address ClientName
crypto map outside_map 150 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha  Â
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha  Â
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha  Â
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 10.10.60.0 255.255.255.0 inside
ssh 10.10.80.0 255.255.255.0 inside
ssh 10.10.40.0 255.255.255.0 inside
ssh 10.0.20.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
group-policy ezvpnclient internal
group-policy ezvpnclient attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SplitTunnelNetworks
 nem enable
username etc
tunnel-group 93.93.93.93 type ipsec-l2l
tunnel-group 93.93.93.93 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 72.72.72.72 type ipsec-l2l
tunnel-group 72.72.72.72 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
 message-length maximum 512
policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map
 inspect ftp
 inspect rsh
 inspect rtsp
 inspect sqlnet
 inspect skinny Â
 inspect sunrpc
 inspect xdmcp
 inspect sip Â
 inspect netbios
 inspect tftp
 inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You were spot on.
@d4nnyo: You need to apply the crypto map on the failover interface as well.
Refer the below:
http://www.petenetlive.com/KB/Article/0000544