backup WAN routing with... an ASA at one end

[wintermute000]

I have a scenario where I'm potentially considering an internet VPN failover (in addition to a standard L3VPN WAN) for a branch site, however, the customer has a stupid ASA at their DC internet.


Its been awhile for me but I recall that you can't do route-based VPNs and are left with old school policy based crypto maps (maybe in latest 9.7 but lets assume that's not feasible, because if we take that open then yeah just GRE and route over it).


What are my options? IP-SLA + PBR/floating statics at the branch side? How about the DC side - how do I get failover from the WAN (separate DC router, obviously) to the ASA if I don't have routing, do I have to use bloody IP-SLA and floating statics etc?

[deanwebb]

Here's how VTI is *supposed* to work in 9.7 : https://techstat.net/cisco-asa-9-7-route-based-vpn-load-balancing-failover-setup-guide/

I wonder if Dieselboy ever got the fix to get VTI working from Cisco TAC...

[Dieselboy]

My VTI problem turned out to be the Riverbed intercepting the client ACK in the 3-way handshake and the main office ASA was therefore not seeing the 3-way handshake establish and I was getting symptoms of around 20% packet loss.

I once did a network design similar to you're description and it went well. Follow this:

ASA firewall at the main office (LDN) with a 80M internet link and 20M private circuit to their remote office in NY.
The 80M internet also ran a Branch Office VPN to the remote office.
This was back in 2011 so only crypto map VPNs on the ASA. 

The issue that was described was that the 80M VPN was capable of a lot more traffic than the private circuit and so gave a faster response. There were two requirements:
1. BOVPN to be the primary route and to fail over to the 20M private circuit if the VPN down
2. the remote office only had the one internet circuit in their office so they wanted the remote office internet to fail over to LDN through the private circuit and out through LDN internet

For point 1, I used OSPF to route to the remote site via the VPN and to fail over to the private circuit.

For point 2, can't remember exactly. I think I used OSPF to advertise a default route across the private circuit and used a track route on the remote firewall to remove the default when the internet when down so it fails over to the private circuit. I remember the first failover test didn't work because I (bang head) forgot to add the NY subnet to the LDN ASA dynamic nat rule. Took a split second to realise because of the cyclic ASDM log buffer told me as soon as the LDN ASA received the traffic from NY.

The thing with the ASA VTI's is that you can't use OSPF. You can use BGP but I didn't see much point. If you want fast failover I'd try and use static routes. When the VTI goes down, the routes are removed from the route table. I have VTI's running between ASA and IOS router and no issues (now).

If you're going VPN between ASA local and ASA remote then you can use OSPF over crypto map.

Two more things I will finally say are - TCP state bypass on the ASA will be required if traffic can fail back to the ASA.
And - ASA service policy rules are compounded, meaning if a packet matches two rules in the "global policy" then both rules 'actions' will be applied to the same packet. This is very handy to know and I make use of this.