INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!

Talk With Other Members
Be Notified Of Responses
To Your Posts
Keyword Search
One-Click Access To Your
Favorite Forums
Automated Signatures
On Your Posts
Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

LINK TO THIS FORUM!

Tek-Tips LinkedIn^® Group

Join our
LinkedIn^® Group!

Hook up with past and present colleagues and classmates quickly.

Partner With Us!

"Best Of Breed" Forums Add Stickiness To Your Site

(Download This Button Today!)

Feedback

"...you guys have given us a way of asking a question and getting some very timely feedback from other users so we don't have to re-invent the wheel time and again..."

More...

Geography

Where in the world do Tek-Tips members come from?

Click Here To Find Out!

Tek-Tips Shirts!

Get your
Tek-Tips Forums
SWAG here!

Home > Forums > Communications Rack > Networking > Cisco: Switches Forum

route IF primary connection fails

Read More Threads Like This One

nelifecare (MIS)

5 Jan 10 22:13

OK. Here it goes. I'm writing this since I am still waiting from a vendor on this setup and want to see if anyone here can assist.

2 sites.

Each site's gateway is a 3560G.

Each site has as ASA for Internet

Site A has a 2811 with WIC-T1

Site B has a 1841 with WIC-T1

Site A and B are currently defaulted to use a VPN between the 2 for their primary connection. (Greater bandwidth)

Site A and B also are connected via the 1841 and 2811 with a private circuit. (Secondary)

What I would like to happen is IF the primary connection fails traffic is routed over the secondary connection automatically then faiback once the primary link is back up.

The vendor is playing around with IP SLA icmp-echo commands along with the track command.

This isn't working. Does anyone have any good examples of a similar setup that I may reference.

Thanks

unclerico (IS/IT--Management)

6 Jan 10 9:15

i'm assuming that the sla monitor is setup on each 3560?? if so, what ip address is each setup to ping??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

6 Jan 10 9:55

Switch A:

track 1 rtr 1 reachability
ip subnet-zero
ip routing
!
ip sla 1
icmp-echo 10.255.255.2
timeout 500
frequency 3
ip sla schedule 1 life forever start-time pending

interface Loopback10255
ip address 10.255.255.1 255.255.255.255

router ospf 100
log-adjacency-changes
redistribute connected
network 192.168.1.0 0.0.0.255 area 0

ip route 192.168.40.0 255.255.255.0 192.168.1.11 track 1
ip route 0.0.0.0 0.0.0.0 192.168.1.11
ip route 192.168.40.0 255.255.255.0 192.168.1.2 254

Switch B:

track 1 rtr 1 reachability
ip subnet-zero
ip routing
!
ip sla responder
ip sla 1
icmp-echo 10.255.255.1
timeout 500
frequency 3
ip sla schedule 1 life forever start-time pending

interface Loopback10255
ip address 10.255.255.2 255.255.255.255

router ospf 100
log-adjacency-changes
redistribute connected
network 192.168.40.0 0.0.0.255 area 0
!
ip classless
ip route 192.168.1.0 255.255.255.0 192.168.40.11 track 1
ip route 0.0.0.0 0.0.0.0 192.168.40.11
ip route 192.168.1.0 255.255.255.0 192.168.40.2 254

unclerico (IS/IT--Management)

6 Jan 10 10:25

i see you're using ospf, why don't you just use that to detect the failure??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

6 Jan 10 10:31

How would I use OSPF to detect the failure?

I want my primary connection to go via VPN and the secondary to go Point-To-Point.

In the past we had this the other way around using OSPF and it work great. Now that I want it the other way around my vendor is still trying to figure out how.

unclerico (IS/IT--Management)

6 Jan 10 10:40

you need to run OSPF across the VPN tunnel as well as the PtP and tweak the metric to choose the VPN route

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

6 Jan 10 13:05

How would I do that?

unclerico (IS/IT--Management)

6 Jan 10 14:07

the vpn terminates on the ASA's??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

6 Jan 10 14:13

Yes. VPNs terminate on ASAs.

unclerico (IS/IT--Management)

6 Jan 10 14:29

ok, if you aren't familiar with how to run OSPF over a L2L tunnel follow this document:
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

once you have that setup verify that the VPN routes are in the routing table. if they're not then you're going to need to go under the LAN interface on each PtP router and adjust the cost by adding ip ospf cost <number>. The number needs to be something that will make the cost of the PtP routes higher than the cost that is being reported by the ASA's.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

7 Jan 10 12:03

OK. I've attempted to setup OSPF over VPN and I cannot complete 100%. Half is up.

Site A

sh ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.40.11     1   INIT/  -        0:00:38     173.13.72.149   Outside
192.168.1.2       1   FULL/DROTHER    0:00:32     192.168.1.2     Inside
192.168.1.1       1   FULL/BDR        0:00:32     192.168.1.1     Inside

Site B:

sh ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.40.2      1   FULL/BDR        0:00:31     192.168.40.2    inside
10.255.255.2      1   FULL/DR         0:00:38     192.168.40.1    inside
            N/A   0   DOWN/  -           -         24.39.38.125    outside

Site A Config:

: Saved
: Written by enable_15 at 10:25:54.216 EST Thu Jan 7 2010
!
ASA Version 8.0(4)
!
terminal width 200
hostname SITEA
domain-name xxxx.org
enable password ********* encrypted
passwd ********** encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address xx.xx.x8.125 255.255.255.240
ospf cost 10
ospf network point-to-point non-broadcast
!
interface Ethernet0/1
speed 100
duplex full
nameif Inside
security-level 99
ip address 192.168.1.11 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
ospf cost 10
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 192.168.1.21
name-server 192.168.1.31
domain-name xxxx.org
same-security-traffic permit intra-interface
object-group service Citrix tcp
description Open ports 80,443,442,1492,8088
port-object eq 442
port-object eq citrix-ica
port-object eq 8088
port-object eq www
port-object eq https
object-group network CitrixServers
description All Citrix Servers
network-object 192.168.1.38 255.255.255.255
network-object 192.168.1.39 255.255.255.255
network-object 192.168.1.40 255.255.255.255
network-object 192.168.1.41 255.255.255.255
network-object host 192.168.1.42
object-group network CorpDVS
network-object host xx.xx.xx.185
network-object host xx.xx.xx.252
object-group network DM_INLINE_NETWORK_1
network-object host 192.168.2.10
network-object host 192.168.2.50
object-group network Internal_DNS_Servers
network-object host 192.168.1.21
network-object host 192.168.1.31
object-group service DM_INLINE_TCP_1 tcp
port-object eq 444
port-object eq https
object-group network DM_INLINE_NETWORK_3
network-object 192.168.1.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 192.168.30.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
network-object 192.168.60.0 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object 192.168.1.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 192.168.30.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
network-object 192.168.60.0 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object host xx.xx.x8.114
network-object host xx.xx.x8.122
object-group network DM_INLINE_NETWORK_2
network-object host 10.255.255.1
network-object 192.168.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object host 10.255.255.2
network-object 192.168.40.0 255.255.255.0
object-group network DM_INLINE_NETWORK_7
network-object host 10.255.255.1
network-object 192.168.1.0 255.255.255.0
access-list Outside_access_in extended permit tcp any host xx.xx.x8.114 eq https
access-list Outside_access_in extended permit tcp any host xx.xx.x8.116 eq www
access-list Outside_access_in extended permit tcp any host xx.xx.x8.116 eq https
access-list Outside_access_in extended permit tcp any host xx.xx.x8.115 eq https
access-list Outside_access_in extended permit tcp any host xx.xx.x8.115 eq www
access-list Outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_5 eq smtp
access-list Outside_access_in extended permit tcp any host xx.xx.x8.121 eq smtp
access-list Outside_access_in extended permit tcp any host xx.xx.x8.118 eq https
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in extended permit tcp any host xx.xx.x8.120 eq https
access-list Outside_access_in extended permit tcp object-group CorpDVS host x.x.x8.117 eq 3389
access-list Outside_access_in extended permit tcp host x.x.x.138 host xx.xx.x8.121 eq 26
access-list Outside_access_in extended permit tcp any host xx.xx.x8.119 eq www
access-list Outside_access_in extended permit tcp any host xx.xx.x8.119 eq https
access-list Outside_access_in extended permit tcp any host xx.xx.x8.124 eq https
access-list Outside_access_in extended permit tcp any host xx.xx.x8.123 object-group DM_INLINE_TCP_1
access-list DMZ_access_in extended permit tcp host 192.168.2.10 host 192.168.1.32 eq smtp
access-list DMZ_access_in extended permit tcp host 192.168.2.20 host 192.168.1.32 eq smtp
access-list DMZ_access_in extended permit tcp host 192.168.2.20 host 192.168.1.21 eq 3268
access-list DMZ_access_in extended permit udp host 192.168.2.20 host 192.168.1.21 eq ntp
access-list DMZ_access_in extended permit tcp host 192.168.2.20 host 192.168.1.44 eq ftp
access-list DMZ_access_in extended permit tcp host 192.168.2.10 host 192.168.1.21 eq 3268
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object-group CitrixServers object-group Citrix
access-list DMZ_access_in extended permit ip host 192.168.2.50 host 192.168.1.135
access-list DMZ_access_in extended permit udp host 192.168.2.10 host 192.168.1.21 eq ntp
access-list DMZ_access_in extended permit udp 192.168.2.0 255.255.255.0 object-group Internal_DNS_Servers eq domain
access-list DMZ_access_in extended permit udp 192.168.2.0 255.255.255.0 host 192.168.1.4 eq snmp
access-list DMZ_access_in extended permit icmp 192.168.2.0 255.255.255.0 any
access-list DMZ_access_in extended permit tcp host 192.168.2.10 host 192.168.1.49 eq 1433
access-list DMZ_access_in extended deny ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list DMZ_access_in extended permit ip 192.168.2.0 255.255.255.0 any
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.60.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list Inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list Inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list Inside_nat0_outbound extended permit ip 192.168.60.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list Inside_nat0_outbound extended permit ip 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.1.100.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list Inside_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 10.255.255.2
access-list Inside_nat0_outbound extended permit ip host 10.255.255.1 192.168.40.0 255.255.255.0
access-list Outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list Outside_cryptomap_20 extended permit ip 192.168.20.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list Outside_cryptomap_20 extended permit ip 192.168.30.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list Outside_100_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list Outside_100_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list Outside_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Outside_cryptomap_60 extended permit ip 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Outside_cryptomap_dyn_20 extended permit ip any 172.16.1.0 255.255.255.224
access-list Outside_80_cryptomap extended permit ospf interface Outside host xx.xx.x2.149
access-list Outside_80_cryptomap extended permit ospf interface Outside xx.xx.x2.144 255.255.255.248
access-list Outside_80_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_6
access-list Outside_80_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list Outside_80_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list Outside_80_cryptomap extended permit ip 10.1.100.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list Outside_80_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list Outside_80_cryptomap extended permit ip object-group DM_INLINE_NETWORK_7 host 10.255.255.2
access-list DMZ_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_3
access-list DMZ_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_4 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 100000
logging asdm-buffer-size 512
logging console informational
logging buffered critical
logging asdm critical
logging from-address
logging recipient-address level errors
logging host Inside 192.168.1.22
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool RegionalVPN 172.16.1.1-172.16.1.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 xx.xx.x8.126
global (Outside) 100 xx.xx.x8.124
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 192.168.0.0 255.255.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 1 192.168.2.0 255.255.255.0
nat (management) 10 0.0.0.0 0.0.0.0
static (Inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (Inside,Outside) xx.xx.x8.117 192.168.1.17 netmask 255.255.255.255
static (Inside,Outside) xx.xx.x8.119 192.168.1.105 netmask 255.255.255.255
static (Inside,Outside) xx.xx.x8.118 192.168.1.32 netmask 255.255.255.255
static (Inside,Outside) xx.xx.x8.120 192.168.1.33 netmask 255.255.255.255
static (DMZ,Outside) xx.xx.x8.122 192.168.2.20 netmask 255.255.255.255
static (DMZ,Outside) xx.xx.x8.114 192.168.2.10 netmask 255.255.255.255
static (DMZ,Outside) xx.xx.x8.121 192.168.2.11 netmask 255.255.255.255
static (DMZ,Outside) xx.xx.x8.116 192.168.2.12 netmask 255.255.255.255
static (DMZ,Outside) xx.xx.x8.115 192.168.2.13 netmask 255.255.255.255
static (DMZ,Outside) xx.xx.x8.124 192.168.2.14 netmask 255.255.255.255
static (DMZ,Outside) xx.xx.x8.123 192.168.2.50 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group DMZ_access_in in interface DMZ
!
router ospf 100
network xx.xx.x8.112 255.255.255.240 area 0
network xx.xx.x2.144 255.255.255.248 area 0
network 192.168.1.0 255.255.255.0 area 0
neighbor xx.xx.x2.149 interface Outside
log-adj-changes
!
route Outside 0.0.0.0 0.0.0.0 24.39.38.113 1
route Inside 10.255.255.1 255.255.255.255 192.168.1.1 1
route Outside xx.xx.x2.149 255.255.255.255 24.39.38.113 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:10:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server 192.168.1.21 protocol radius
aaa-server 192.168.1.21 (Inside) host 192.168.1.21
key ************
radius-common-pw ************
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
default-acl  unused
reval-period 36000
sq-period 300
http server enable
http 0.0.0.0 0.0.0.0 Inside
snmp-server host Inside 192.168.1.4 community ******
snmp-server location ********
snmp-server contact *******
sysopt connection preserve-vpn-flows
sysopt noproxyarp Inside
sysopt noproxyarp DMZ
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map Outside_map 20 match address Outside_cryptomap_20
crypto map Outside_map 20 set peer xx.xx.x7.157
crypto map Outside_map 20 set transform-set ESP-3DES-MD5
crypto map Outside_map 20 set security-association lifetime seconds 28800
crypto map Outside_map 20 set security-association lifetime kilobytes 4608000
crypto map Outside_map 60 match address Outside_cryptomap_60
crypto map Outside_map 60 set peer xx.xx.x0.210
crypto map Outside_map 60 set transform-set ESP-3DES-MD5
crypto map Outside_map 60 set security-association lifetime seconds 28800
crypto map Outside_map 60 set security-association lifetime kilobytes 4608000
crypto map Outside_map 80 match address Outside_80_cryptomap
crypto map Outside_map 80 set pfs
crypto map Outside_map 80 set peer xx.xx.x2.149
crypto map Outside_map 80 set transform-set ESP-3DES-MD5
crypto map Outside_map 80 set security-association lifetime seconds 28800
crypto map Outside_map 80 set security-association lifetime kilobytes 4608000
crypto map Outside_map 100 match address Outside_100_cryptomap
crypto map Outside_map 100 set pfs
crypto map Outside_map 100 set peer xx.xx.x4.2
crypto map Outside_map 100 set transform-set ESP-3DES-MD5
crypto map Outside_map 100 set security-association lifetime seconds 28800
crypto map Outside_map 100 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh timeout 15
console timeout 30
management-access Inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.1.21
webvpn
enable Outside
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
wins-server value 192.168.1.21
dns-server value 192.168.1.21 192.168.1.31
vpn-tunnel-protocol IPSec
pfs enable
default-domain value xxxx.org
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  customization value DfltCustomization
group-policy webvpn internal
group-policy webvpn attributes
vpn-tunnel-protocol webvpn
webvpn
group-policy nevpn internal
group-policy nevpn attributes
vpn-tunnel-protocol IPSec
group-policy SOHO internal
group-policy SOHO attributes
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
smartcard-removal-disconnect enable
group-policy Laptops internal
group-policy Laptops attributes
vpn-tunnel-protocol IPSec
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key ************
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group 192.168.1.21
default-group-policy webvpn
tunnel-group xx.xx.x7.157 type ipsec-l2l
tunnel-group xx.xx.x7.157 ipsec-attributes
pre-shared-key ************
tunnel-group xx.xx.x3.53 type ipsec-l2l
tunnel-group xx.xx.x3.53 ipsec-attributes
pre-shared-key ************
tunnel-group xx.xx.x0.210 type ipsec-l2l
tunnel-group xx.xx.x0.210 ipsec-attributes
pre-shared-key ************
tunnel-group nevpn type remote-access
tunnel-group nevpn general-attributes
address-pool RegionalVPN
authentication-server-group 192.168.1.21
default-group-policy nevpn
tunnel-group nevpn ipsec-attributes
pre-shared-key ************
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 general-attributes
default-group-policy SOHO
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key ************
isakmp keepalive threshold 20 retry 5
tunnel-group xx.xx.x4.2 type ipsec-l2l
tunnel-group xx.xx.x4.2 ipsec-attributes
pre-shared-key ************
tunnel-group xx.xx.x5.117 type ipsec-l2l
tunnel-group xx.xx.x5.117 ipsec-attributes
pre-shared-key ************
tunnel-group xx.xx.x2.149 type ipsec-l2l
tunnel-group xx.xx.x2.149 ipsec-attributes
pre-shared-key ************
tunnel-group-map default-group DefaultL2LGroup
!
class-map sip-port
match port tcp eq sip
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 1500
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect http
  inspect dns preset_dns_map
  inspect ipsec-pass-thru
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 1500
policy-map sip_policy
class sip-port
  inspect sip
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
!
service-policy global_policy global
smtp-server 192.168.1.27
prompt hostname domain context
Cryptochecksum:e7fd369cfb6bb1d12da7db465bdc687b
: end

Site B Config:

ASA Version 8.0(4)
!
hostname SITEB
domain-name xxxx.org
enable password ****** encrypted
passwd ****** encrypted
names

interface Vlan1
nameif inside
security-level 100
ip address 192.168.40.11 255.255.255.0
ospf cost 10

interface Vlan2
nameif outside
security-level 0
ip address xx.xx.x2.149 255.255.255.248
ospf cost 10
ospf network point-to-point non-broadcast
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone GMT 5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.40.9
domain-name nelifecare.org
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object host 10.255.255.2
network-object 192.168.40.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object host 10.255.255.1
network-object 192.168.1.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list no_nat extended permit ip 10.1.100.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list no_nat extended permit ip 192.168.20.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list no_nat extended permit ip 192.168.30.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list no_nat extended permit ip 192.168.40.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list no_nat extended permit ip 192.168.40.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no_nat extended permit ip 192.168.40.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list no_nat extended permit ip 192.168.40.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list no_nat extended permit ip 192.168.40.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list no_nat extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat extended permit ip 192.168.40.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list no_nat extended permit ip host 10.255.255.2 host 10.255.255.1
access-list no_nat extended permit ip host 10.255.255.1 host 10.255.255.2
access-list no_nat extended permit ip 192.168.40.0 255.255.255.0 host 10.255.255.1
access-list no_nat extended permit ip host 10.255.255.2 192.168.1.0 255.255.255.0
access-list no_nat extended permit ip any 172.16.40.0 255.255.255.0
access-list VPN_Client_In extended permit ip any 172.16.40.0 255.255.255.224
access-list VPN_To_Regional extended permit ip 192.168.40.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list VPN_To_Regional extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list VPN_To_Regional extended permit ip 192.168.40.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list VPN_To_Regional extended permit ospf interface outside host xx.xx.x8.125
access-list acl_outside extended permit icmp any any
access-list outside_20_cryptomap extended permit ospf interface outside host xx.xx.x8.125
access-list outside_20_cryptomap extended permit ospf interface outside xx.xx.x8.112 255.255.255.240
access-list outside_20_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list outside_20_cryptomap extended permit ip 192.168.40.0 255.255.255.0 host 10.255.255.1
access-list outside_20_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.40.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list outside_40_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list outside_60_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Outside_access_in extended permit tcp any host xx.xx.x2.146 eq smtp
access-list Outside_access_in extended permit tcp any host xx.xx.x2.147 eq https
access-list Outside_access_in extended permit tcp any host xx.xx.x2.147 eq www
access-list Outside_access_in extended permit tcp any host xx.xx.x2.147 eq 444
access-list Outside_access_in extended permit icmp any any
access-list outside_cryptomap_dyn_10 extended permit ip any 172.16.40.0 255.255.255.192
access-list Outside_20_cryptomap extended permit ip host 10.255.255.2 host 10.255.255.1
access-list Outside_20_cryptomap extended permit ip 192.168.40.0 255.255.255.0 host 10.255.255.1
pager lines 24
logging enable
logging buffer-size 16384
logging buffered debugging
logging asdm errors
logging facility 16
logging host inside 192.168.40.100
mtu inside 1500
mtu outside 1500
ip local pool VPN_Client_In 172.16.40.10-172.16.40.50
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xx.xx.x2.148 netmask 255.255.255.255
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xx.xx.x2.147 192.168.40.18 netmask 255.255.255.255
static (inside,outside) xx.xx.x2.146 192.168.40.17 netmask 255.255.255.255
access-group Outside_access_in in interface outside
!
router ospf 100
network xx.xx.x8.112 255.255.255.240 area 0
network xx.xx.x2.144 255.255.255.248 area 0
network 192.168.40.0 255.255.255.0 area 0
neighbor xx.xx.x8.125 interface outside
log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 xx.xx.x2.150 1
route outside 10.1.100.0 255.255.255.0 192.168.1.66 1
route inside 10.255.255.2 255.255.255.255 192.168.40.1 1
route outside xx.xx.x8.125 255.255.255.255 xx.xx.x2.150 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server ATTIS protocol radius
aaa-server ATTIS (inside) host 192.168.40.9
    key ******
http server enable
http 192.168.0.0 255.255.0.0 inside
snmp-server host inside 192.168.1.4 community ******
snmp-server location 192.168.40.0
snmp-server contact helpcenter@xxx.org
sysopt connection preserve-vpn-flows
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer xx.xx.x8.125
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association

unclerico (IS/IT--Management)

7 Jan 10 12:20

run some ospf debugs and see post back what it says. i have a feeling it may be that your global ip is different than your outside interface ip. maybe try changing the ospf neighbor on each asa to match what you have in your global (outside) statement

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

8 Jan 10 12:18

OK. Got this to work. I removed the neighbor and then re-added it back and OSPF started working.

Once that occurred had an issue. Site A also accepts connections from Site C and D, 2 other branches primary is Point-to-Point and secondary would failover to VPN.

Currently, ALL sites connect to Site B via VPN. When I introduced the new OSPF settings, Site C and D could not see Site B. If Sites B, C, or D are connected to Site A using the Point-To-Point, they communicated via the Point-to-Point. If anyone of the Sites is NOT using the Point-to-Point, they communicate via VPN. If I implement OSPF over VPN on the other 2 Sites (C & D) should everything work correctly if any one Site loses 1 of their network connections?

I want to continue to have Sites C & D use their Point-to-Point as their primary and only failover to secondary if primary fails. How would I setup OSPF costs to accomplish this?

unclerico (IS/IT--Management)

8 Jan 10 13:50

i want to make 100% sure i understand what you are talking about. can you upload a network topology that shows your current state as well as your future (ideal) state?? adding in sites C and D will essentially eliminate the use of OSPF over the VPN tunnel (it's a shortcoming in how the ASA's run OSPF across VPN's).

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

8 Jan 10 14:34

PDF of overall network here: http://www.docshare.com/doc/202978/NetworkConfig

I essentially am trying to make sure ALL sites stay connected at ALL times no matter which link is severed as long as multiple links are not at the same time.

http://www.docshare.com/doc/202978/NetworkConfig

unclerico (IS/IT--Management)

8 Jan 10 18:06

so as it is right now, if a host in Site C or D wanted to communicate with a host in Site B they would use the PtP connection to Site A and then would hop on the VPN tunnel from Site A to Site B (Site C -> Site A -> Site B)?? i just want to clarify.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

9 Jan 10 5:33

no. If Site B is connected to Site A via VPN, ALL sites will communicate with Site B via VPN. I think this is because Site B is only sending data via VPN and isn't even using the PtP.

unclerico (IS/IT--Management)

9 Jan 10 18:53

this will be pretty easy to do. you will run OSPF across all of the PtP circuits so that if the Internet connection on site C or D goes down it will be able to use site A as a transit to reach site B and vice versa. you must configure your firewalls to permit ICMP Echo traffic from the other sites (Site B needs to permit ICMP Echos from Site A, C, and D. Site D needs to permit ICMP Echos from Site B, etc). Since static routes will be preferred over the OSPF routes (assuming that the prefix length is the same) the routing tables will look like this:

Site A
  OSPF route to Site C and D over the PtP links
  Tracked static route over the VPN to Site B

Site B
  Tracked static route over the VPN to all other sites

Site C
  OSPF route to Site A over the PtP link
  OSPF route to Site D over the PtP link
  Tracked static route over the VPN to Site B

Site D
  OSPF route to Site A over the PtP link
  OSPF route to Site C over the PtP link
  Tracked static route over the VPN to Site B

if the connection to the Internet at Site B goes down then the static routes at Site A, C, and D will be removed from the routing table and OSPF will do its thing to route everything through Site A to reach Site B. Site B will then use Site A to reach Site C and Site D. When the connection to the Internet comes back on line at Site B then the static routes will be installed in the other sites routing tables and the OSPF routes will be removed

the only thing this doesn't do is permit Site C and Site D to communicate over the VPN to each other; they will use Site A as a transit.

you may even want to alter this in such a way that your default routes are tracked and will reroute your web traffic over your private circuits (if you have enough capacity that is)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Using the following as an addressing scheme:
Site A subnets: 192.168.1.0/24 (LAN), 172.16.12.0/30 (PtP - B), 172.16.13.0/30 (PtP - C), 172.16.14.0/30 (PtP - D)
Site B subnets: 192.168.2.0/24 (LAN), 172.16.12.0/30 (PtP - A)
Site C subnets: 192.168.3.0/24 (LAN), 172.16.13.0/30 (PtP - A)
Site D subnets: 192.168.4.0/24 (LAN), 172.16.14.0/30 (PtP - A)

Site A core switch:

CODE

ip sla monitor 1
  type echo protocol ipicmpecho <outside_ip_site_b_asa>
  frequency 5
  timeout 5000
ip sla monitor schedule 1 life forever start-time now

track 1 rtr 1 reachability

ip route 0.0.0.0 0.0.0.0 <ASA_inside_ip>
ip route 192.168.2.0 255.255.255.0 <ASA_inside_Ip> track 1

router ospf 1
  network 192.168.1.0 0.0.0.255 area 0
  network 172.16.12.0 0.0.0.3 area 0
  network 172.16.13.0 0.0.0.3 area 0
  network 172.16.14.0 0.0.0.3 area 0

SiteB core switch:

CODE

ip sla monitor 1
  type echo protocol ipicmpecho <outside_ip_siteA_ASA>
  frequency 5
  timeout 5000
ip sla monitor 2
  type echo protocol ipicmpecho <outside_ip_siteC_ASA>
  frequency 5
  timeout 5000
ip sla monitor 3
  type echo protocol ipicmpecho <outside_ip_siteD_ASA>
  frequency 5
  timeout 5000

ip sla monitor schedule 1 life forever start-time now
ip sla monitor schedule 2 life forever start-time now
ip sla monitor schedule 3 life forever start-time now

track 1 rtr 1 reachability
track 2 rtr 2 reachability
track 3 rtr 3 reachability

ip route 0.0.0.0 0.0.0.0 <asa_inside_ip>
ip route 192.168.1.0 255.255.255.0 <asa_inside_ip> track 1
ip route 192.168.3.0 255.255.255.0 <asa_inside_ip> track 2
ip route 192.168.4.0 255.255.255.0 <asa_inside_ip> track 3

router ospf 1
  network 192.168.2.0 0.0.0.255 area 0
  network 172.16.12.0 0.0.0.3 area 0

SiteC core switch:

CODE

ip sla monitor 1
  type echo protocol ipicmpecho <outside_ip_site_b_asa>
  frequency 5
  timeout 5000
ip sla monitor schedule 1 life forever start-time now

track 1 rtr 1 reachability

ip route 0.0.0.0 0.0.0.0 <asa_inside_ip>
ip route 192.168.2.0 255.255.255.0 <asa_inside_ip> track 1

router ospf 1
  network 192.168.3.0 0.0.0.255 area 0
  network 172.16.13.0 0.0.0.3 area 0

SiteD core switch:

CODE

ip sla monitor 1
  type echo protocol ipicmpecho <outside_ip_site_b_asa>
  frequency 5
  timeout 5000
ip sla monitor schedule 1 life forever start-time now

track 1 rtr 1 reachability

ip route 0.0.0.0 0.0.0.0 <next_hop_ip>
ip route 192.168.2.0 255.255.255.0 <ASA_inside_Ip> track 1

router ospf 1
  network 192.168.4.0 0.0.0.255 area 0
  network 172.16.14.0 0.0.0.3 area 0

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

11 Jan 10 12:20

Thanks for getting this to me!

Should I remove the OSPF over VPN? Is it still needed?

unclerico (IS/IT--Management)

11 Jan 10 13:54

Quote:

Should I remove the OSPF over VPN?

yes. good luck and post back with any problems.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

16 Jan 10 17:14

I'm a bit confused. Site A and Site B primarily communicate over a VPN. I also have a PtP from Site A to Site B.

Currently I don't see any configuration taking this into account.

unclerico (IS/IT--Management)

18 Jan 10 12:23

If you look at the SiteA and SiteB snippets you'll see that each have a tracked static route configured to route over the VPN as primary. The PtP circuits are directly connected so if you do a show ip route you'll see them listed; however, you won't see the LAN segment in SiteB using the PtP for the next hop in SwitchA and you won't see the LAN segment in SiteA using the PtP for the next hop in SwitchB. If the VPN tunnel were to come down due to an interface failure on either side the static route will be removed from each routing table and the OSPF route will be added to use the PtP link to reach each LAN segment.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

18 Jan 10 16:08

OK. Does this change since the PtP are not directly connected to the Switch for either site? Will each sites router update the routing tables when the VPN fails?

unclerico (IS/IT--Management)

19 Jan 10 9:21

i apologize, they will be directly connected at your CE devices not at your core switches. as long as you have OSPF running across all of your PtP circuits and into your core then, yes, it will work flawlessly.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

21 Jan 10 5:29

OK. As soon as add in OSPF info on my routers, the PtP takes over.

router ospf 100
network 10.0.40.0 0.0.0.255 area 0

10.0.40.0 is Site A to Site B PtP subnet.

Is there an ospf cost I need to add?

unclerico (IS/IT--Management)

21 Jan 10 9:57

do you have the static routes in??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

21 Jan 10 10:49

Yes.

Site A:

ip route 192.168.40.0 255.255.255.0 192.168.1.11 track 1
ip route 0.0.0.0 0.0.0.0 192.168.1.11
ip route 172.16.20.0 255.255.255.0 10.0.20.2
ip route 172.16.30.0 255.255.255.0 10.0.30.2
ip route 192.168.2.0 255.255.255.0 192.168.1.11
ip route 192.168.40.0 255.255.255.0 192.168.1.2 254
ip route 192.168.60.0 255.255.255.0 192.168.1.11
ip route 192.168.70.0 255.255.255.0 192.168.1.11
ip route 192.168.80.0 255.255.255.0 192.168.1.11

Site B:

ip route 192.168.1.0 255.255.255.0 192.168.40.11 track 1
ip route 0.0.0.0 0.0.0.0 192.168.40.11
ip route 192.168.1.0 255.255.255.0 192.168.40.2 254

unclerico (IS/IT--Management)

21 Jan 10 11:06

ok, post the output from sh ip sla monitor operational-state from both devices

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

21 Jan 10 13:16

Seems like one side is up and the other is not.

Site A:

Round Trip Time (RTT) for       Index 1
        Latest RTT: 50 ms
Latest operation start time: 13:14:22.032 EST Thu Jan 21 2010
Latest operation return code: OK
Number of successes: 946
Number of failures: 0
Operation time to live: Forever

Site B:

Round Trip Time (RTT) for       Index 1
        Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: 13:12:53.378 EST Thu Jan 21 2010
Latest operation return code: Timeout
Number of successes: 0
Number of failures: 935
Operation time to live: Forever

nelifecare (MIS)

21 Jan 10 13:52

Forget my previous posts. I found an issue that was causing the SLA to be down.

unclerico (IS/IT--Management)

21 Jan 10 13:54

so now you should be routing back over the L2L VPN correct??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

21 Jan 10 14:04

Unfortunately I have to make these changes at night and not during the day time.

I will let you know what happens this evening.

Thanks for all you assistance, by the way.

nelifecare (MIS)

22 Jan 10 8:47

OK. Now that the SLAs are working, communicating, when I add the PtP subnet to my router's OSPF, the VPN goes down and the PtP is down.

I did see OSPF updates when I added the below network on all devices BUT no traffic would pass.

router ospf 100
network 10.0.40.0 0.0.0.255 area 0

10.0.40.0 is Site A to Site B PtP subnet.

Any ideas?

unclerico (IS/IT--Management)

22 Jan 10 11:17

post the configs of the two routers and the core switches from site A and B. i'd also like to see the output of sh ip route from both routers when you have everything configured.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

24 Jan 10 15:20

Update...

I've figured out what's going on BUT I'm not sure how to fix.

The SLA between the Switch A and Switch B is working when the VPN link is up and my router at Switch A isn't advertising the PtP network, 10.0.40.0 0.0.0.255 area 0.

When I add the 10.0.40.0 0.0.0.255 area 0 to the router at Site A, no one can get to Site B because the Default Gateway @ Site A has a static entry to Site B over the VPN but the router and firewall have OSPF routes to route over the PtP which is causing packets to drop.

If I add the 10.0.40.0 0.0.0.255 area 0 network to my router AND shut down the ethernet interface for one of my VPNs, all traffic routes correctly over the PtP.

So, How do I tell my router and firewall on each side to route traffic over the VPN when it's up BUT to route traffic over the PtP?

Make sense?

unclerico (IS/IT--Management)

25 Jan 10 13:16

i need to see scrubbed configs from each device at both site A and B:
- Firewall
- Core switch
- WAN router

upload them as .txt files if you can

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

26 Jan 10 9:47

I really appreciate the time you've spent on this.

unclerico (IS/IT--Management)

26 Jan 10 10:02

do you have an account at box.net or something similar where you can upload them??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

27 Jan 10 21:54

You can pickup all configs here: ftp://anonymous@71.173.77.129
:2121

Let me know if you are able to download them.

Again, much appreciated.

nelifecare (MIS)

27 Jan 10 22:00

Try this link instead ftp://anonymous@71.173.77.129:2121

unclerico (IS/IT--Management)

28 Jan 10 9:11

i cannot get to them from here due to non standard port for ftp. i'll have to wait until i get home tonight to take a look.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

28 Jan 10 9:17

OK.

Set to standard ftp port.

ftp://anonymous@71.173.77.129

Thanks

unclerico (IS/IT--Management)

28 Jan 10 10:59

i got 'em and am looking them over

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

unclerico (IS/IT--Management)

28 Jan 10 15:51

i was able to glance at the configs and right off the top i see two things i would do:
1) on both ASA's remove the ospf neighbor configuration as well as remove the ospf traffic from your crypto acl.
2) add crypto map Outside_map 80 set reverse-route to site A ASA and crypto map outside_map 20 set reverse-route to site B ASA
3) when you add the 10.0.40/24 network into the OSPF process you can remove the static routes from each core switch using .2 as the next hop

i labbed this up in GNS3 and had it working without issue. here's a link to all of my config files and a topology:
http://www.box.net/shared/t9yfsbuqrr

i'll take a closer look at your configs later.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

28 Jan 10 16:23

Nice! I'll check it out tonight and let you know.

Thanks again!

nelifecare (MIS)

29 Jan 10 6:00

Works like a charm!

unclerico (IS/IT--Management)

29 Jan 10 11:33

good to hear. post back if you have other questions or issues.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

29 Jan 10 15:52

Two more question...

Lets say my VPN is bouncing due to carrier/general internet issues and I want to change all traffic to traverse the PtP until the situation is stable.

I know I could shutdown either Site A or Site B ethernet's interface to the Internet BUT is there another easier option?

Is it possible to route some traffic over the VPN and everything else over the PtP?

Thanks,

Jeremy

unclerico (IS/IT--Management)

29 Jan 10 22:05

sure. are you familiar with policy-based routing (PBR)??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

nelifecare (MIS)

29 Jan 10 22:43

I am not familiar with PBR but am reading up on it now.

Thanks again!

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Back To Cisco: Switches

Member Login

Come Join Us!

LINK TO THIS FORUM!

Tek-Tips LinkedIn® Group

Partner With Us!

Feedback

Geography

Tek-Tips Shirts!

route IF primary connection fails

CODE

CODE

CODE

CODE

Quote:

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Back To Forum

Join Tek-Tips® Today!

Tek-Tips LinkedIn^® Group

Join Tek-Tips^® Today!