Jump to content


VPN ipsec for dual ISP ON ASA

VPNipsec asa dual ISP sla monitor

  • Please log in to reply
2 replies to this topic

#1 dido32

dido32

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 18 December 2012 - 07:46 AM

hello,

I Have configured VPNipsec on asa, i use 'sla monitor track' for duel ISP.
I use two interfaces(outside for ISP1, backup for ISP2):

1-when outside interface is down(i take off cable ) vpn switch automatically.
2-but when ISP1 is down (outside interface is up) my internet switch to backup interface , i have internet.
but my vpn is down
even i have these:
When I type sh crypto isakmp sa i get
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : aes Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 85981

it seems fine BUT
and when i type sh crypto ipsec sa i get
interface: outside (should be backup)

i think this result is for ancient vpn .

i was trying to follow what happens when my ISP is down , i enable debug isakmp and ipsec

when i type debug crypto isakmp 127 I get

[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
[IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
without stopping that mean my phase1 and two don't complete
ofcourse for debug crypto ipsec 127 nothing happens

but if i take off outside interface cable , vpn will work
thank you advance

Edited by dido32, 18 December 2012 - 07:57 AM.

  • -1

#2 dido32

dido32

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 19 December 2012 - 05:11 AM

please help
  • 0

#3 MarkinManchester

MarkinManchester

    Village Elder

  • Veterans
  • PipPipPipPipPip
  • 3976 posts
  • Gender:Male
  • Location:Manchester

Posted 20 December 2012 - 01:31 AM

Hi

What you need to do is use EEM combined with IP SLA to track a ping to a remote address. This https://supportforum...m/thread/345889 will give you the basics but as with most things its difficult to give specific advice.

Mark
  • 1






Also tagged with one or more of these keywords: VPNipsec, asa, dual ISP, sla monitor

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users