ASA dual ISP backup VPN

  • Post author:
  • Post category:ASA / Cisco / VPN

This post covers the configuration of a policy-based Site-to-Site VPN on a single Cisco ASA Firewall (or HA failover pair) with dual internet connections on the head-end ASA.

Topology

The figure below represents the topology used in this scenario.

HQ ASA

  • The HQ ASA will utilise GigabitEthernet 0/0 interface (IP address 1.1.1.1) as the primary connection and GigabitEthernet0/1 interface (2.2.2.1) as the backup interface.
  • IKEv1/IPSec is enabled on both interfaces, to ensure resilient VPN connectivity from the Branch.
  • An SLA monitor will monitor the next-hop IP address (1.1.1.254) of the GigabitEthernet 0/0 interface.
  • The default route via GigabitEthernet0/0 interface will be tracked. In the event of failure, the default route will be removed from the routing table.
  • A second default route (with a weighted static) will be configured via GigabitEthernet0/1 interface. In the event of the primary default route being removed from the routing table, traffic will be routed via GigabitEthernet0/1 interface (2.2.2.1).
  • The SLA monitor will continuously track the 1.1.1.254 IP address, upon successful re-connection, the default route via GigabitEthernet0/0 will be re-added to the routing table.
  • When the primary interface on HQ ASA is available again, the HQ ASA would automatically terminate the VPN on the backup interface and a new tunnel established on the primary interface.

Branch ASA

  • The Branch ASA will be configured with a crypto map with both peer IP addresses of the HQ ASA.
  • Under normal circumstances a VPN tunnel will be established to the primary peer IP address 1.1.1.1.
  • Upon detecting failure, a VPN will automatically be established to the backup peer IP (2.2.2.1).
  • Once a termination request is received from the HQ ASA, a new tunnel is automatically established to the primary peer IP.

Configuration

HQ ASA

Configure the INSIDE and two OUTSIDE interfaces.

interface GigabitEthernet0/0
 nameif OUTSIDE_1
 security-level 0
 ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet0/1
 nameif OUTSIDE_2
 security-level 0
 ip address 2.2.2.1 255.255.255.0
!
interface GigabitEthernet0/2
 nameif INSIDE
 security-level 100
 ip address 10.10.0.1 255.255.255.0

Enable IKEv1 (or IKEv2) on both OUTSIDE interfaces.

crypto ikev1 enable OUTSIDE_1
crypto ikev1 enable OUTSIDE_2

Configure the IKEv1 (or IKEv2) policy.

crypto ikev1 policy 5
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400

Configure the Access Control List to define the interesting traffic to be encrypted.

access-list VPN-BRANCH extended permit ip 10.10.0.0 255.255.252.0 10.20.0.0 255.255.252.0

Configure the IPSec Transform Set

crypto ipsec ikev1 transform-set TSET esp-aes esp-sha-hmac

Configure the Crypto Map, match the ACL previously created, define the peer IP address, reference the transform set and enable on both OUTSIDE interfaces.

crypto map CMAP 1 match address VPN-BRANCH
crypto map CMAP 1 set peer 3.3.3.1
crypto map CMAP 1 set ikev1 transform-set TSET
crypto map CMAP 1 set security-association lifetime kilobytes unlimited
crypto map CMAP interface OUTSIDE_1
crypto map CMAP interface OUTSIDE_2

Create a group-policy to enable the version of IKE in use (IKEv1 or IKEv2).

group-policy 3.3.3.1 internal
group-policy 3.3.3.1 attributes
 vpn-tunnel-protocol ikev1

Configure the tunnel-group for the Branch ASA, define the PSK and reference the group-policy previously created.

tunnel-group 3.3.3.1 type ipsec-l2l
tunnel-group 3.3.3.1 general-attributes
 default-group-policy 3.3.3.1
tunnel-group 3.3.3.1 ipsec-attributes
 ikev1 pre-shared-key *****

Create an SLA monitor to probe the next hop IP address (in this instance the ISP provider router IP address) and create a track object.

sla monitor 1
 type echo protocol ipIcmpEcho 1.1.1.254 interface OUTSIDE_1
 timeout 2000
 threshold 1
 frequency 5
sla monitor schedule 1 life forever start-time now
!
track 1 rtr 1 reachability

Create a default route via OUTSIDE_1 and track the route using the track object previously created. Create a second default route via OUTSIDE_2 with a weight metric higher than the other default route.

route OUTSIDE_1 0.0.0.0 0.0.0.0 1.1.1.254 1 track 1
route OUTSIDE_2 0.0.0.0 0.0.0.0 2.2.2.254 200

Branch ASA

interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 3.3.3.1 255.255.255.0
!
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 10.20.0.1 255.255.255.0

Configure the Access Control List to define the interesting traffic to be encrypted.

access-list VPN-HQ extended permit ip 10.20.0.0 255.255.252.0 10.10.0.0 255.255.252.0

Enable IKEv1 on the OUTSIDE interface

crypto ikev1 enable OUTSIDE

Configure the IKEv1 (or IKEv2) policy.

crypto ikev1 policy 5
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400

Configure the IPSec Transform Set

crypto ipsec ikev1 transform-set TSET esp-aes esp-sha-hmac

Configure the Crypto Map, match the ACL previously created, define the peer IP address, reference the transform set and enable on both OUTSIDE interfaces.

crypto map CMAP 1 match address VPN-HQ
crypto map CMAP 1 set peer 1.1.1.1 2.2.2.1
crypto map CMAP 1 set ikev1 transform-set TSET
crypto map CMAP interface OUTSIDE

Create a group-policy to enable the version of IKE in use (IKEv1 or IKEv2).

group-policy HQ-POLICY internal
group-policy HQ-POLICY attributes
 vpn-tunnel-protocol ikev1

Configure two tunnel groups (one for the primary peer and the other for the backup peer), define the PSK and reference the group-policy previously created.

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
 default-group-policy HQ-POLICY
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
!
tunnel-group 2.2.2.1 type ipsec-l2l
tunnel-group 2.2.2.1 general-attributes
 default-group-policy HQ-POLICY
tunnel-group 2.2.2.1 ipsec-attributes
 ikev1 pre-shared-key *****

Define a default route via the next hop

route OUTSIDE 0.0.0.0 0.0.0.0 3.3.3.254

Verification

Logging to the console will be enabled for verification purposes on both ASA.

logging enable
logging timestamp
logging console 6
  • Establish a VPN tunnel between the Branch ASA and the HQ ASA on the primary peer IP address (1.1.1.1).
  • Take a packet capture on the OUTSIDE_1 interface of the HQ ASA.
  • Take another packet capture on the OUTSIDE interface of the Branch ASA.
HQ-ASA# show crypto ipsec sa
interface: OUTSIDE_1
Crypto map tag: CMAP, seq num: 1, local addr: 1.1.1.1
access-list VPN-BRANCH extended permit ip 10.10.0.0 255.255.252.0 10.20.0.0 255.255.252.0
local ident (addr/mask/prot/port): (10.10.0.0/255.255.252.0/0/0)
remote ident (addr/mask/prot/port): (10.20.0.0/255.255.252.0/0/0)
current_peer: 3.3.3.1
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14

Fail over to Backup

  • From the CLI of the HQ ASA shutdown OUTSIDE_1 on HQ ASA, to simulate failure of the primary connection.
  • Observe the console output.

The SLA monitor on HQ ASA will detect the ICMP echo-request to 1.1.1.254 has failed and the tracked route will be removed from the routing table. Message 622001 confirms the default route was removed from the routing table.

Feb 11 2023 20:08:22: %ASA-6-622001: Removing tracked route 0.0.0.0 0.0.0.0 1.1.1.254, distance 1, table default, on interface OUTSIDE_1

Message 602304 confirms the outbound|inbound IPSec SA between 1.1.1.1 and 3.3.3.1 was deleted.

Feb 11 2023 20:08:30: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x68FA9E15) between 1.1.1.1 and 3.3.3.1 (user= 3.3.3.1) has been deleted.
Feb 11 2023 20:08:30: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x389095D2) between 3.3.3.1 and 1.1.1.1 (user= 3.3.3.1) has been deleted.

After 42 seconds, message 602303 confirms the outbound|inbound IPSec SA between 3.3.3.1 and 2.2.2.1 was created.

Feb 11 2023 20:09:12: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x737D4F2B) between 2.2.2.1 and 3.3.3.1 (user= 3.3.3.1) has been created.
Feb 11 2023 20:09:12: %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x33385F2D) between 2.2.2.1 and 3.3.3.1 (user= 3.3.3.1) has been created.

From the HQ ASA’s OUTSIDE_1 interface packet capture.

  • Packet No. 5 and 10are the SLA monitor ICMP echo-request packets from 1.1.1.1 (HQ ASA) to 1.1.1.254 (ISP router next hop)
  • Packet No. 6 and 11 are the ICMP echo-reply from 1.1.1.254 (ISP router next hop) to the 1.1.1.1 (HQ ASA)

The echo-requests are sent every 5 seconds (as per the SLA monitor configuration). The echo-request received from confirms normal communication and the SLA monitor is working correctly.

  • Packet No. 278, 279 , 314 and 315 are Dead Peer Detection (DPD) keepalives between both ASAs, this is normal when a VPN is established.

From the Branch ASA packet capture we can determine more information about the failover.

  • Packet No. 360 and 361 are ESP encrypted traffic to the primary peer.

At this point the upstream link was disabled to simulate failure.

  • Packet No. 364, 367, 370, 372, 373, 378, 381, 385 and 388 are DPD keepalive packets, attempting to determine whether the tunnel is dead.
  • Packet No. 365, 368, 371, 374, 379, 382, 386 and 379 is a response from the ISP (next hop of the Branch ASA) to confirm destination unreachable to 1.1.1.1 (HQ ASA).

  • Packet No. 391 is a new IKEv1 Main Mode packet to the backup VPN peer, 2.2.2.1.
  • Packet No. 392 – 399 are the remaining IKE Main Mode & Quick Mode packets.
  • Packet No. 401 – 404 are ESP packets, which confirm bi-directional encrypted traffic.

At this point the Branch ASA has established a VPN to the secondary peer IP address 2.2.2.1 on HQ ASA.

Fail back to Primary

The branch ASA will automatically establish a VPN to the primary peer once the primary peer 1.1.1.1 (OUTSIDE_1 on HQ ASA) is responding.

  • From the CLI of the HQ ASA un-shutdown OUTSIDE_1 on HQ ASA – to failback to the Primary interface.

From the branch site generate some interesting traffic over the VPN, observe the output of the packet capture:

  • Packet No. 679 and 680 – encrypted traffic to/from the branch site via the backup peer VPN tunnel.

At this point the primary peer becomes active on HQ ASA, which sends a termination request to the Branch ASA.

  • Packet No. 681 and 682 – the HQ ASA sends 2 ISAKMP Information packets to the Branch ASA, the tunnel is subsequently terminated on the backup peer interface.
  • Packet No. 683 is a new IKEv1 Main Mode packet to the primary VPN peer 1.1.1.1
  • Packet No. 684 – 691 are the remaining IKE Main Mode & Quick Mode packets.
  • Packet No. 692 – 695 are ESP packets, which confirms encrypted traffic and the tunnel is successfully established.

SYSLOG messages on HQ ASA

When the primary interface (OUTSIDE_1) on the HQ ASA is up again, a ping from the branch is sent to the HQ ASA over the VPN established on the backup interface. The HQ ASA initiates the termination of the VPN of the backup interface.

Message 622001 confirms the default route via OUTSIDE_1 is added to the routing table; therefore the primary peer is now active.

Feb 11 2023 20:39:38: %ASA-6-622001: Adding tracked route 0.0.0.0 0.0.0.0 1.1.1.254, distance 1, table default, on interface OUTSIDE_1

Subsequently the HQ ASA resets the tunnel to the Branch ASA on the backup interface.

Feb 11 2023 20:39:39: %ASA-5-713259: Group = 3.3.3.1, IP = 3.3.3.1, Session is being torn down. Reason: Administrator Reset
Feb 11 2023 20:39:39: %ASA-4-113019: Group = 3.3.3.1, Username = 3.3.3.1, IP = 3.3.3.1, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:10m:42s, Bytes xmt: 2800, Bytes rcv: 2800, Reason: Administrator Reset
Feb 11 2023 20:39:39: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xAA85CADF) between 2.2.2.1 and 3.3.3.1 (user= 3.3.3.1) has been deleted.
Feb 11 2023 20:39:39: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xDC8815DB) between 3.3.3.1 and 2.2.2.1 (user= 3.3.3.1) has been deleted.

SYSLOG messages on Branch ASA

The message logs on the Branch ASA confirms the tunnel to the backup IP address 2.2.2.1 is terminated by the HQ ASA.

Feb 11 2023 20:39:39: %ASA-5-713050: Group = 2.2.2.1, IP = 2.2.2.1, Connection terminated for peer 2.2.2.1.  Reason: Peer Terminate  Remote Proxy 10.10.0.0, Local Proxy 10.20.0.0
Feb 11 2023 20:39:39: %ASA-5-713050: Group = 2.2.2.1, IP = 2.2.2.1, Connection terminated for peer 2.2.2.1.  Reason: Peer Terminate  Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
Feb 11 2023 20:39:39: %ASA-5-713259: Group = 2.2.2.1, IP = 2.2.2.1, Session is being torn down. Reason: User Requested
Feb 11 2023 20:39:39: %ASA-4-113019: Group = 2.2.2.1, Username = 2.2.2.1, IP = 2.2.2.1, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:10m:41s, Bytes xmt: 2800, Bytes rcv: 2700, Reason: User Requested
Feb 11 2023 20:39:39: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xDC8815DB) between 3.3.3.1 and 2.2.2.1 (user= 2.2.2.1) has been deleted.
Feb 11 2023 20:39:39: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xAA85CADF) between 2.2.2.1 and 3.3.3.1 (user= 2.2.2.1) has been deleted

With further traffic generated, a new tunnel to the primary peer IP address 1.1.1.1 is successfully re-established.

Feb 11 2023 20:39:42: %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1.  Map Tag = CMAP.  Map Sequence Number = 1.
Feb 11 2023 20:39:42: %ASA-5-713041: IP = 1.1.1.1, IKE Initiator: New Phase 1, Intf INSIDE, IKE Peer 1.1.1.1  local Proxy Address 10.20.0.0, remote Proxy Address 10.10.0.0,  Crypto map (CMAP)
Feb 11 2023 20:39:42: %ASA-6-302015: Built outbound UDP connection 501 for OUTSIDE:1.1.1.1/500 (1.1.1.1/500) to identity:3.3.3.1/500 (3.3.3.1/500)
Feb 11 2023 20:39:42: %ASA-6-713172: Group = 1.1.1.1, IP = 1.1.1.1, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Feb 11 2023 20:39:42: %ASA-6-113009: AAA retrieved default group policy (HQ-POLICY) for user = 1.1.1.1
Feb 11 2023 20:39:42: %ASA-5-713119: Group = 1.1.1.1, IP = 1.1.1.1, PHASE 1 COMPLETED
Feb 11 2023 20:39:42: %ASA-5-713049: Group = 1.1.1.1, IP = 1.1.1.1, Security negotiation complete for LAN-to-LAN Group (1.1.1.1)  Initiator, Inbound SPI = 0xb65ed533, Outbound SPI = 0x303ddd10
Feb 11 2023 20:39:42: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x303DDD10) between 3.3.3.1 and 1.1.1.1 (user= 1.1.1.1) has been created.
Feb 11 2023 20:39:42: %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xB65ED533) between 3.3.3.1 and 1.1.1.1 (user= 1.1.1.1) has been created.
Feb 11 2023 20:39:42: %ASA-5-713120: Group = 1.1.1.1, IP = 1.1.1.1, PHASE 2 COMPLETED (msgid=bdf40255)
Feb 11 2023 20:39:42: %ASA-5-752016: IKEv1 was successful at setting up a tunnel.  Map Tag = CMAP. Map Sequence Number = 1.
Tags: , , , ,