cisco ASA5505 with dual ISP + IPSEC

eldo · 09:03 AM

Hello guys,

I have problem with dual ISP + IPSEC on my cisco ASA5505 sec plus licence.
Routing is working correct (connect to Internet from siteA is working trought
1st also second ISP) but IPSEC is working just trought the first
ISP! It seemt that phase 1 and 2 of IPSEC is correct but packets
are just encrypting but not decrypting. Do you have any idea what is wrong?

I'm trying ping from siteA (PC - 10.4.1.66) to siteB (PC - 10.3.128.50)

Thanks

config site A:
################################################## ########################

ASA5505 Version 8.2(1)

interface Vlan1
nameif inside
security-level 100
ip address 10.4.1.65 255.255.255.248
!
interface Vlan2
nameif primaryISP (NAT1:1 212.89.229.xz)
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Vlan3
nameif backupISP
security-level 0
ip address 212.89.235.yy 255.255.255.248

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3

access-list outside_cryptomap extended permit icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0

access-list nonat extended permit ip 10.4.1.64 255.255.255.248 10.3.0.0 255.255.0.0
access-list nonat extended permit ip 10.4.1.64 255.255.255.248 10.16.0.0 255.255.0.0

pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu internet 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400

global (outside) 1 interface
global (internet) 1 interface

nat (inside) 0 access-list nonat
nat (inside) 1 10.4.1.64 255.255.255.248

route primaryISP 0.0.0.0 0.0.0.0 192.168.1.1 1 track 1
route backupISP 0.0.0.0 0.0.0.0 212.89.235.yy 254

snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 212.89.229.xx interface primaryISP
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer 212.89.229.xx
crypto map outside_map0 1 set transform-set ESP-AES-256-SHA
crypto map outside_map0 1 set security-association lifetime seconds 28800
crypto map outside_map0 1 set security-association lifetime kilobytes 4608000
crypto map outside_map0 2 match address outside_cryptomap_1

crypto map outside_map0 interface primaryISP
crypto map outside_map0 interface backupISP

crypto isakmp identity hostname
crypto isakmp enable primaryISP
crypto isakmp enable backupISP

crypto isakmp policy 3
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 300
!
track 1 rtr 123 reachability
telnet 10.4.1.64 255.255.255.248 inside
telnet timeout 1440
ssh 10.4.1.64 255.255.255.248 inside
ssh 212.89.229.xx 255.255.255.255 outside
ssh timeout 60
ssh version 2
console timeout 0

management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 194.160.23.2 source primaryISP
webvpn

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group 212.89.229.xx type ipsec-l2l
tunnel-group 212.89.229.xx ipsec-attributes
pre-shared-key *

siteA# sh crypto isakmp sa d

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 212.89.229.xx
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 300
Lifetime Remaining: 91

siteA# sh crypto ipsec sa
interface: internet
Crypto map tag: outside_map0, seq num: 1, local addr: 212.89.235.yy

access-list outside_cryptomap permit icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0
local ident (addr/mask/prot/port): (10.4.1.64/255.255.255.248/1/0)
remote ident (addr/mask/prot/port): (10.3.128.0/255.255.255.0/1/0)
current_peer: 212.89.229.xx

#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 7, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 212.89.235.yy, remote crypto endpt.: 212.89.229.xx

path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 2A9B550B

inbound esp sas:
spi: 0xCF456F65 (3477434213)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 32768, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (4374000/28629)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x2A9B550B (714822923)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 32768, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (4373999/28629)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

siteA# sh logging asdm | i 10.3.128.50
6|Sep 19 2011 10:27:37|302020: Built outbound ICMP connection for faddr 10.3.128.50/0 gaddr 10.4.1.66/1024 laddr 10.4.1.66/1024
6|Sep 19 2011 10:27:39|302021: Teardown ICMP connection for faddr 10.3.128.50/0 gaddr 10.4.1.66/1024 laddr 10.4.1.66/1024

config site B:
################################################## ########################

ASA 5510 Version 8.0(4)

interface Ethernet0/0
nameif outside
security-level 0
ip address 212.89.229.xx 255.255.255.240
ospf cost 10

interface Ethernet0/1.10
vlan 10
nameif users
security-level 50
ip address 10.3.128.0 255.255.255.0

access-list siteA extended permit ip 10.3.128.0 255.255.255.0 10.4.1.64 255.255.255.248

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 9 match address SiteA
crypto map outside_map 9 set peer 212.89.229.xz
crypto map outside_map 9 set transform-set ESP-AES-256-SHA
crypto map outside_map 9 set security-association lifetime seconds 28800
crypto map outside_map 9 set security-association lifetime kilobytes 4608000

crypto map outside_map 10 match address SiteA
crypto map outside_map 10 set peer 212.89.235.yy
crypto map outside_map 10 set transform-set ESP-AES-256-SHA
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map 10 set security-association lifetime kilobytes 4608000

crypto map outside_map interface outside

crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

tunnel-group 212.89.229.xz type ipsec-l2l
tunnel-group 212.89.229.xx ipsec-attributes
pre-shared-key *

tunnel-group 212.89.235.yy type ipsec-l2l
tunnel-group 212.89.235.yy ipsec-attributes
pre-shared-key *

SiteB# sh crypto isakmp sa d

Active SA: 7
Rekey SA: 1 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 8

8 IKE Peer: 212.89.235.yy
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 300
Lifetime Remaining: 245

SiteB# sh crypto ipsec sa | b 212.89.235.yy

current_peer: 212.89.235.yy

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 212.89.229.xz, remote crypto endpt.: 212.89.235.yy

path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: CF456F65

inbound esp sas:
spi: 0x2A9B550B (714822923)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4378624, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914999/27310)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00001FFF
outbound esp sas:
spi: 0xCF456F65 (3477434213)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4378624, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/2730

IV size: 16 bytes
replay detection support: Y

siteB# sh logging asdm | i 10.4.1.66
6|Sep 19 2011 10:29:49|302021: Teardown ICMP connection for faddr 10.4.1.66/1024 gaddr 10.3.128.50/0 laddr 10.3.128.50/0
6|Sep 19 2011 10:29:50|302020: Built inbound ICMP connection for faddr 10.4.1.66/1024 gaddr 10.3.128.50/0 laddr 10.3.128.50/0

eldo · 09-21-2011

Solution from:
https://supportforums.cisco.com/thread/2105304

The crypto maps are sequential, that means as you have the same ACL on both entry, the
traffic will match every time seq #9 and be directed to the peer defined in this sequence.
If you want to do active/Standby IPSEC tunnels between your two ISPs, you can use multiple peers, like:

crypto map outside_map 9 match address SiteA
crypto map outside_map 9 set peer 212.89.229.xx 212.89.235.yy
crypto map outside_map 9 set transform-set ESP-AES-256-SHA
crypto map outside_map 9 set security-association lifetime seconds 28800
crypto map outside_map 9 set security-association lifetime kilobytes 4608000

If you want to load balance between your two ISPs, you will need to have different ACLs, like
sequence 9 is for traffic directed to remote network 1, and sequence 10 for remote network 2, but
in that case, if remote peer is down, half of the traffic will be down.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
cisco ASA5505 sla monitoring	eldo	Cisco	1	05-23-2012 06:43 AM
Cisco ASA5505 image won't load...!	dingobang	Hardware	0	04-07-2010 05:06 PM
IPSec over NAT-T on Cisco ASA5505 mysteriously stops working	Jporter67	General Computer Support	0	09-01-2009 09:36 PM
SSH Cisco ASA5505	Julius	Cisco	4	05-12-2009 04:26 PM
NetGear SPH200D dual Dual-mode, Cordless Phone vs Dualphone 3088 dual mode cordless phone	Paul	NZ Computing	0	05-08-2007 09:06 AM