ASA VPN preempt

The Cisco ASA supports multi-peer VPN, useful when an organisation requires a primary and backup VPN tunnel. When the ASA detects the VPN to the primary peer is down, a new VPN can automatically be established to the backup peer. However, when the primary peer is active again, there is no native VPN pre-emption command to automatically failback to the preferred VPN peer.

The Embedded Event Manager (EEM) script feature on the ASA can be used to detect when the primary peer is active again, clear the VPN tunnel to the backup peer, allowing the ASA to re-establish a tunnel to the primary peer again.

Topology

The figure below represents the network topology used in this scenario.

Summary

The following sections represents a summary of the configuration regarding VPN pre-emption on the ASA.

Branch ASA

• The Branch ASA is configured with a crypto map (Policy-based VPN), with the primary peer as DC-1 ASA and backup peer as DC-2 ASA.
• An SLA monitor to send an ICMP echo-request every 10 seconds.
• A track object determining the reachability of the primary peer.
• A tracked static route to the primary peer IP address.
• An EEM script to detect when the primary peer is up again and clear the IPSec SA of the backup VPN.

DC ASA Firewalls

• Configure dynamic RRI on the crypto map of both DC ASAs.
• Redistribute static routes into OSPF to the locally attached Core switch.

NOTE – The static routes for the Branch networks are only redistributed when a VPN is established to either of the DC ASA Firewalls. When the VPN is down, the routes are removed from the Core switch routing table.

VPN Configuration

The purpose of the post is to describe the VPN pre-empt procedure and the relevant configuration, it does not cover the basic configuration of setting up the ASA and the VPN. Refer to this post to setup an ASA multi-peer VPN and this post for more information on Reverse Route Injection (RRI).

DC ASA

This section represents the requirements to configure both DC ASA Firewalls.

Dynamic Reverse Route Injection (RRI) is configured on both DC ASA Firewalls to add a static route for the remote peer network into the ASA’s routing table when a VPN is established.

crypto map CMAP 1 match address VPN-BRANCH
crypto map CMAP 1 set pfs group19
crypto map CMAP 1 set peer 2.2.2.1
crypto map CMAP 1 set ikev2 ipsec-proposal AES-GCM
crypto map CMAP 1 set reverse-route dynamic

A prefix-list and route-map is used to control which static routes are redistributed into OSPF.

prefix-list VPN_NETWORKS seq 10 permit 10.10.0.0/22
!
route-map VPN_NETWORKS permit 10
match ip address prefix-list VPN_NETWORKS
set metric 1500
!
route-map VPN_NETWORKS deny 20

Redistribute the static routes as defined in the route-map into OSPF, for the connected Core switch to learn the route via the ASA with the active VPN tunnel.

router ospf 1
 redistribute static subnets route-map VPN_NETWORKS

Branch ASA

The steps in this section refer to configuration defined on the Branch ASA to setup VPN pre-empt.

The crypto map must be configured with a primary peer and backup peer IP address.

crypto map CMAP 1 match address VPN-HQ
crypto map CMAP 1 set pfs group19
crypto map CMAP 1 set peer 1.1.1.1 1.1.2.1
crypto map CMAP 1 set ikev2 ipsec-proposal AES-GCM
crypto map CMAP interface OUTSIDE

VPN Preempt Configuration

A SLA monitor is configured to send an ICMP echo-request to the primary peer IP address (DC-1 ASA) every 10 seconds, this is tracked for reachability.

sla monitor 1
 type echo protocol ipIcmpEcho 1.1.1.1 interface OUTSIDE
 num-packets 3
 frequency 10
sla monitor schedule 1 life forever start-time now
!
track 1 rtr 1 reachability

A static host route to the primary peer IP address of DC-1 ASA is tracked using the track object.

route OUTSIDE 1.1.1.1 255.255.255.255 2.2.2.254 1 track 1

An EEM script is created to take an action on when SYSLOG ID 622001 occurs twice. This SYSLOG message ID relates to removing a static route from the routing table. When this message ID is generated, the script will trigger and clear the IPSec SA to the backup peer.

event manager applet VPN-PREEMPT
event syslog id 622001 occurs 2
action 1 cli command "clear crypto ipsec sa peer 1.1.2.1"
output console

Logging

Logging to the console of the Branch ASA is enabled for troubleshooting and verification purposes and is not required permanently. A console list of a few relevant IKEv2, IPSec and SLA/tracking message IDs have been defined.

logging enable
logging timestamp
logging list CONSOLE-LIST message 622001
logging list CONSOLE-LIST message 602303
logging list CONSOLE-LIST message 602304
logging list CONSOLE-LIST message 750007
logging list CONSOLE-LIST message 750012
logging console CONSOLE-LIST

Verification

Branch ASA

All troubleshooting and verification steps in the following section will be performed on the Branch ASA.

• Establish a VPN to the primary peer (1.1.1.1)

The output below from Branch ASA confirms a VPN is established to the primary peer and is encrypting|decrypting packets.

BRANCH(config)# show crypto ipsec sa
interface: OUTSIDE
Crypto map tag: CMAP, seq num: 1, local addr: 2.2.2.1
access-list VPN-HQ extended permit ip 10.10.0.0 255.255.252.0 192.168.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.10.0.0/255.255.252.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
current_peer: 1.1.1.1

#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
#pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15

• Simulate failure of the primary peer by shutting down the DC-1 ASA OUTSIDE interface
• Generate traffic destined to the DC networks to establish a new VPN tunnel to DC-2 ASA.

The tracked route  to 1.1.1.1 on the Branch ASA will provide a SYSLOG message confirming the route has been removed.

Feb 12 2023 13:31:40: %ASA-6-622001: Removing tracked route 1.1.1.1 255.255.255.255 2.2.2.254, distance 1, table default, on interface OUTSIDE

Subsequently two messages confirm the inbound|outbound IPSec SA to the primary peer have been deleted.

Feb 12 2023 13:31:48: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x7AA238E2) between 2.2.2.1 and 1.1.1.1 (user= 1.1.1.1) has been deleted.
Feb 12 2023 13:31:48: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xF34C4CD0) between 1.1.1.1 and 2.2.2.1 (user= 1.1.1.1) has been deleted.

After approximately 2 minutes SYSLOG messages on the Branch ASA confirm a successful tunnel establishment to the backup peer IP address 1.1.2.1.

Feb 12 2023 13:34:05: %ASA-5-750006: Local:2.2.2.1:500 Remote:1.1.2.1:500 Username:1.1.2.1 IKEv2 SA UP. Reason: New Connection Established
Feb 12 2023 13:34:05: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x9BC5929F) between 2.2.2.1 and 1.1.2.1 (user= 1.1.2.1) has been created.
Feb 12 2023 13:34:05: %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xD0DC066C) between 2.2.2.1 and 1.1.2.1 (user= 1.1.2.1) has been created.
Feb 12 2023 13:34:05: %ASA-5-752016: IKEv2 was successful at setting up a tunnel.  Map Tag = CMAP. Map Sequence Number = 1.

The output below from Branch ASA confirms a VPN is established to the backup peer 1.1.2.1 and is encrypting|decrypting packets.

BRANCH# show crypto ipsec sa
interface: OUTSIDE
Crypto map tag: CMAP, seq num: 1, local addr: 2.2.2.1
access-list VPN-HQ extended permit ip 10.10.0.0 255.255.252.0 192.168.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.10.0.0/255.255.252.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
      current_peer: 1.1.2.1

#pkts encaps: 89, #pkts encrypt: 89, #pkts digest: 89
#pkts decaps: 89, #pkts decrypt: 89, #pkts verify: 89

• Failback to the primary peer by no shutdown the DC-1 ASA OUTSIDE interface.

The SYSLOG message ID 622001 confirming adding the tracked route to 1.1.1.1 to the routing table, it’s this message the EEM script is looking for in order to trigger.

Feb 12 2023 13:41:28: %ASA-6-622001: Adding tracked route 1.1.1.1 255.255.255.255 2.2.2.254, distance 1, table default, on interface OUTSIDE

With the EEM script output configured to “console” the message below will be displayed, confirming the action to take, which is clear the IPSec SA for the backup peer.

622001: Adding tracked route 1.1.1.1 255.255.255.255 2.2.2.254, distance 1, table default, on interface OUTSIDE
------------------ clear crypto ipsec sa peer 1.1.2.1 @ 2023/02/12 13:41:28 ------------------

The subsequent messages confirm the IPSec SAs between 2.2.2.1 and 1.1.2.1 have been deleted.

Feb 12 2023 13:41:28: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x9BC5929F) between 2.2.2.1 and 1.1.2.1 (user= 1.1.2.1) has been deleted.
Feb 12 2023 13:41:28: %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xD0DC066C) between 1.1.2.1 and 2.2.2.1 (user= 1.1.2.1) has been deleted.
Feb 12 2023 13:41:28: %ASA-5-750007: Local:2.2.2.1:500 Remote:1.1.2.1:500 Username:1.1.2.1 IKEv2 SA DOWN. Reason: unknown

With interesting traffic being generating to establish a VPN, after 3 seconds a new VPN tunnel to the primary peer 1.1.1.1 has been established.

Feb 12 2023 13:41:31: %ASA-5-750006: Local:2.2.2.1:500 Remote:1.1.1.1:500 Username:1.1.1.1 IKEv2 SA UP. Reason: New Connection Established
Feb 12 2023 13:41:31: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xFE584FE9) between 2.2.2.1 and 1.1.1.1 (user= 1.1.1.1) has been created.
Feb 12 2023 13:41:31: %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x2094049A) between 2.2.2.1 and 1.1.1.1 (user= 1.1.1.1) has been created.
Feb 12 2023 13:41:31: %ASA-5-752016: IKEv2 was successful at setting up a tunnel.  Map Tag = CMAP. Map Sequence Number = 1.

DC Core

Under normal circumstances and the VPN from the Branch is via a VPN to DC-1 ASA, the dynamic RRI static routes for the Branch network should be received by the DC Core switch via interface GigabitEthernet0/1, via IP address 192.168.250.1.

HQ-CORE#show ip route ospf | begin Gateway
Gateway of last resort is not set
10.0.0.0/22 is subnetted, 1 subnets
O E2     10.10.0.0 [110/1500] via 192.168.250.1, 00:06:47, GigabitEthernet0/1

If the VPN between DC-1 ASA and Branch ASA fails, the dynamic RRI static routes learnt from DC-1 ASA should be removed from the routing table. Once the VPN to DC-2 ASA is established, the routes to the Branch network should be received on GigabitEthernet0/0, via IP address 192.168.251.1.

HQ-CORE#show ip route ospf | begin Gateway
Gateway of last resort is not set
10.0.0.0/22 is subnetted, 1 subnets
O E2     10.10.0.0 [110/1500] via 192.168.251.1, 00:01:43, GigabitEthernet0/0