site2site dsl vpn with cellular backup

[nhidalgo]

I currently have a 50 site l2l ipsec vpn terminating at a cisco asa at HQ. The remote sites have a 2800 cisco with either DSL for Cable internet service. I have since purchased a spring cellular HWIC for backup and am trying to integrate it. If the dsl goes down i would like the hwic to dial and reestablish the tunnel. I have the cellular card setup as backup interface. Also have put an sla on the primary dsl route. This pings a Router behind my ASA and if it is unreachable for 30 seconds it removes my dsl default route and routes traffic thru the cellular modem. This all works. The tunnel just doesn't establish again once the celluar connection comes up. I have the crypto map statements on both dsl interface and the cellular. If i boot the router with the external dsl modem turned off, the router automatically kicks in the cellular card and creates the tunnel. Is there a setting i am missing on the ASA or the router. Any input would be great.

Nick

 

[tjbradford]

your need to look at your log history to check if the backup device is able to hit the FW if so is it being denyed by an acl / policy on the fw. could do with some more details on this one really.

could be anything Routing issues is quite possible.

 

[burtsbees]

Hard to say...post a sh run, a 2800 and the ASA.
Also, do you have the WIC-1ADSL wics in the 2800's? You mention external adsl modems and you also mention that the crypto map is applied to both the cellular interface (HWIC) and the adsl interface...
Under normal regular routing circumstances, a floater usually does the trick...

ip route 0.0.0.0 0.0.0.0 di0
ip route 0.0.0.0 0.0.0.0 s0/0 10

Burt

 

[nhidalgo]

Sorry for the delay in reply. I had turn my test router off for the weekend at the office.

THe DSL modem is an external in briged mode connected to the f0/0 ethernet interface. The interface has the static ip applied.

THe floating route works for bringing the internet connection back up via the cellular interface, but tunnel traffice doesnt' work. When i boot the router the tunnel comes up via the dsl connection. If i turn the modem off, the default route becomes the Cellular interface and i can access the web, but no tunnel. Also show crypto ipec sa still shows the tunnel via the DSL connection ip still there and also show the tunnel via the Cellular interface, but has send errors. If i boot the router with the dsl connection out it the tunnel comes up via the cellular connection without a problem.

Router Config:

Building configuration...

Current configuration : 7897 bytes
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname fithstreet
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096
logging console critical

!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
aaa session-id common
dot11 syslog
no ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!
no ip bootp server
ip name-server 192.168.90.197
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
login block-for 30 attempts 5 within 5
!
multilink bundle-name authenticated
!
!
voice-card 0
!
chat-script cdma "" "AT$QCMIPP=1" "OK" "ATDT#777" TIMEOUT 60 CONNECT
!
voice call carrier capacity active

log config
hidekeys
!
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
crypto isakmp key ******* address ASA_Address
crypto isakmp keepalive 60 5 periodic
!
!
crypto ipsec transform-set Store esp-3des esp-sha-hmac
!
crypto map nolan 11 ipsec-isakmp
set peer ASA_address
set transform-set Store
match address 120
!
!
!
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
backup delay 60 300
backup interface Cellular0/3/0
ip address STATIC_PUBLIC_IP 255.255.255.248

ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map nolan
!
interface FastEthernet0/1
ip address 192.168.111.1 255.255.255.0
duplex auto
speed auto
!
interface Cellular0/3/0
ip address negotiated
ip virtual-reassembly
encapsulation ppp
dialer in-band
dialer idle-timeout 3600
dialer string cdma
dialer-group 1
async mode interactive
ppp ipcp dns request
crypto map nolan
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Static_IP_Gateway
ip route 0.0.0.0 0.0.0.0 Cellular0/3/0 10
!
!
ip http server
no ip http secure-server
!

ip sla schedule 1 life forever start-time now
access-list 120 permit ip 192.168.111.0 0.0.0.255 any
access-list compiled
dialer-list 1 protocol ip list 1
no cdp run

!
!
control-plane

line con 0
line aux 0
line 0/3/0
exec-timeout 0 0
script dialer cdma
modem InOut
no exec
transport input all
transport output all
autoselect during-login
autoselect ppp
rxspeed 3100000
txspeed 1800000
line vty 0 4
access-class 1 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 192.168.90.1
end



fithstreet#