The way the crypto map there is written and OSPF takes care of it. Priority line 10 of the crypto map calls an ACL that encrypts OSPF traffic from R2 --> ASA1 and traffic to the remote network. Priority 20 calls a different ACL that encrypts OSPF traffic from R2 --> ASA2 and the remote network.
When ASA1 comes back online, the OSPF adjacency comes back up. Now, the real trick then is how do you prefer OSPF routes from ASA1 over ASA2 by default if both peerings are on the same interface? You can do a few things -- On the ASA side you can advertise a default route only and make the cost lower on the default-information originate command. The other thing you can do, is on the IOS side set the OSPF network type to point-to-multipoint non-broadcast. With that network type you can set the cost of routes on a per neighbor basis, instead of just the interface On Tue, May 15, 2012 at 5:36 PM, Eugene Pefti <[email protected]> wrote: > He-he... > May be it was ASA developers idea to stress on the fact that ASA doesn't > support broadcasts and point-to-point links. > How did you make the router R2 use ASA1 as a peer once it's back online > (after you failed it over to ASA2) ? > > -----Original Message----- > From: Joe Astorino [mailto:[email protected]] > Sent: Tuesday, May 15, 2012 2:18 PM > To: Eugene Pefti > Cc: Piotr Matusiak; [email protected] > Subject: Re: [OSL | CCIE_Security] DPD preemption? > > So I labbed this up. I was able to get it working, but I am having some > issues I think related to QEMU or Dynamips so I will have to put it to rest > for now. > > here is what my remote spoke looks like for the crypto map. > 10.10.20.11 is ASA1 and 10.10.20.12 is ASA2. 2.2.2.2/32 is a loopback on a > router behind the ASA > > R2#sh access-list > Extended IP access list CRYPTO-ACL > 10 permit ip host 2.2.2.2 host 10.10.10.1 > 20 permit ospf host 10.10.20.2 host 10.10.20.11 (44 matches) > > Extended IP access list CRYPTO-ACL2 > 10 permit ip host 2.2.2.2 host 10.10.10.1 > 20 permit ospf host 10.10.20.2 host 10.10.20.12 (49 matches) > > crypto map CRYPTO-MAP 10 ipsec-isakmp > set peer 10.10.20.11 > set transform-set ESP-3DES-MD5 > match address CRYPTO-ACL > ! > crypto map CRYPTO-MAP 20 ipsec-isakmp > set peer 10.10.20.12 > set transform-set ESP-3DES-MD5 > match address CRYPTO-ACL2 > > It works but like I said I think I am having some emulation issues. > Everytime I shutdown an interface to force the failover then bring the > interface back online I totally lose all communication. > > Also, there is some creativity needed to get OSPF peering to even work. For > some reason I have yet to figure out, the ASA has some insane OSPF network > type known as "point-to-point non-broadcast" that is required in order to run > unicast peerings. This network type does not freaking exist in the regular > router world, but on the ASA it seems it is very similar to > "point-to-multipoint non-broadcast" in router world except that the timers > for the ASA version are "fast" at 10/40. Thus, to get the peering working > you need to adjust timers on one end or the other. > > Just out of curiosity does anybody know what in the world "point-to-point > non-broadcast" comes from and why they would choose to use an OSPF network > type that doesn't even exist in IOS implementations? > > > On Tue, May 15, 2012 at 4:45 PM, Eugene Pefti <[email protected]> wrote: >> I remember trying to implement not point-to-point but three ASAs following >> this example. >> E.g. if ASA2 is not available then ASA1 should be peering with ASA3 and in >> case ASA1 is back then ASA2 should be pre-empting to it from ASA3. I managed >> to do OSPF peering with unicasts/neigbor statement but how would I set >> preferred peer even if I have two crypto maps? I assume it is still one >> crypto map but different sequence numbers. >> >> Eugene >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Piotr >> Matusiak >> Sent: Tuesday, May 15, 2012 7:50 AM >> To: Joe Astorino >> Cc: [email protected] >> Subject: Re: [OSL | CCIE_Security] DPD preemption? >> >> It's nothing uncommon. See the example on cisco site: >> >> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configu >> ration_example09186a00804acfea.shtml >> >> Regards, >> Piotr >> >> >> -----Original Message----- >> From: Joe Astorino >> Sent: Tuesday, May 15, 2012 4:39 PM >> To: Piotr Matusiak >> Cc: [email protected] >> Subject: Re: [OSL | CCIE_Security] DPD preemption? >> >> Yeah, in the CCIE lab we could make it work...but for a real world >> deployment I'm afraid this is just too much of a pain in the butt to be >> realistic. Thanks for the suggestions and time, but I think I will be >> sticking with VTI --> VTI on IOS based routers for the time being. >> >> >> >> On Tue, May 15, 2012 at 10:37 AM, Piotr Matusiak <[email protected]> wrote: >>> Joe, >>> >>> ASA does not support dynamic routing over the IPSec tunnel due to >>> IPSec itself does not support mcast traffic. What about using >>> unicast-based routing protocol like OSPF (neighbor command)? That >>> would do the trick I belive. >>> >>> >>> Regards, >>> Piotr >>> >>> >>> -----Original Message----- From: Joe Astorino >>> Sent: Tuesday, May 15, 2012 4:34 PM >>> >>> To: Piotr Matusiak >>> Cc: [email protected] >>> Subject: Re: [OSL | CCIE_Security] DPD preemption? >>> >>> I'm sure I am misunderstanding you, because as you know the ASA >>> cannot do dynamic routing over IPSEC due to it's lack of support for >>> GRE or VTI and thus multicast. So with that being said, what do you >>> mean by dynamic routing? >>> >>> Thanks for your thoughts gents >>> >>> On Tue, May 15, 2012 at 12:38 AM, Piotr Matusiak <[email protected]> wrote: >>>> >>>> One more thought. What about setting up two crypto-map-based tunnels >>>> with dynamic routing on it preferring the nearest site? >>>> >>>> >>>> Regards, >>>> Piotr >>>> >>>> -----Original Message----- From: Joe Astorino >>>> Sent: Monday, May 14, 2012 11:55 PM >>>> To: Piotr Matusiak >>>> >>>> Cc: [email protected] >>>> Subject: Re: [OSL | CCIE_Security] DPD preemption? >>>> >>>> Sounds like the best option is to continue to use VTI with routers >>>> at remote sites terminating to routers at the head end. A shame the >>>> ASA is not a bit more versatile in it's capabilities : ( >>>> >>>> >>>> On Mon, May 14, 2012 at 4:47 PM, Piotr Matusiak <[email protected]> wrote: >>>>> >>>>> >>>>> Hi Joe, >>>>> >>>>> EEM is the option for you. I don't recall any other option now. >>>>> >>>>> Regards, >>>>> Piotr >>>>> >>>>> -----Original Message----- From: Joe Astorino >>>>> Sent: Monday, May 14, 2012 9:02 PM >>>>> To: Mohamed Gazzaz >>>>> Cc: [email protected] >>>>> Subject: Re: [OSL | CCIE_Security] DPD preemption? >>>>> >>>>> >>>>> I appreciate that, but I have indeed read all those papers. HSRP >>>>> and SSO do not help me because the primary ASA is in Michigan and >>>>> the secondary ASA is in London, UK. >>>>> >>>>> The goals is to have a remote site router closer to the US have a >>>>> primary IPSEC connection to the Michigan ASA and a backup IPSEC >>>>> connection to the London ASA, while a site closer to Europe would >>>>> be the opposite. The remote site routers have only a single >>>>> internet connection. Today it works because instead of an ASA at >>>>> the head ends I have IOS routers with VTI interfaces, and thus I >>>>> run BGP which takes care of things. I am looking for a simpler >>>>> design and to utilize the ASAs instead. >>>>> >>>>> On Mon, May 14, 2012 at 2:24 PM, Mohamed Gazzaz >>>>> <[email protected]> >>>>> wrote: >>>>>> >>>>>> >>>>>> >>>>>> Hi Joe, >>>>>> >>>>>> >>>>>> Please have a look at the following links (They might give you an >>>>>> idea) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ >>>>>> p >>>>>> s6635/white_paper_c11_472859.html >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> https://supportforums.cisco.com/community/netpro/security/vpn/blog >>>>>> / >>>>>> 2011/04/25/ipsec-vpn-redundancy-failover-over-redundant-isp-links >>>>>> >>>>>> >>>>>> http://blog.ine.com/2008/11/06/ipsec-vpn-high-availability-with-hs >>>>>> r >>>>>> p/ >>>>>> >>>>>> >>>>>> Regards, >>>>>> Mohamed Gazzaz >>>>>> >>>>>>> Date: Mon, 14 May 2012 12:57:56 -0400 >>>>>>> From: [email protected] >>>>>>> To: [email protected] >>>>>>> Subject: [OSL | CCIE_Security] DPD preemption? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I am working on a design trying to accomplish the following: I >>>>>>> have two ASA's that need to terminate L2L IPSEC tunnels to some >>>>>>> remote sites but they are in different regions of the world. The >>>>>>> idea is that a remote site will have a tunnel to the ASA closest >>>>>>> to the site, and a backup tunnel to the other. I believe I can >>>>>>> accomplish this by having a crypto map on the remote router with >>>>>>> two "set peer" commands on the same crypto map line. It looks >>>>>>> like dead peer detection will detect if the primary link goes >>>>>>> down and failover to the secondary, but I don't see a way to make >>>>>>> it recover after the primary comes back up. Is there a way to >>>>>>> accomplish that? >>>>>>> >>>>>>> I would want it to fail back over to the primary because the >>>>>>> primary will be geographically closer and yield better response times. >>>>>>> >>>>>>> Is there a better way to do something like this? >>>>>>> >>>>>>> -- >>>>>>> Regards, >>>>>>> >>>>>>> Joe Astorino >>>>>>> CCIE #24347 >>>>>>> http://astorinonetworks.com >>>>>>> >>>>>>> "He not busy being born is busy dying" - Dylan >>>>>>> _______________________________________________ >>>>>>> For more information regarding industry leading CCIE Lab >>>>>>> training, please visit www.ipexpert.com >>>>>>> >>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>> www.PlatinumPlacement.com >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Regards, >>>>> >>>>> Joe Astorino >>>>> CCIE #24347 >>>>> http://astorinonetworks.com >>>>> >>>>> "He not busy being born is busy dying" - Dylan >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>> www.PlatinumPlacement.com >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> Regards, >>>> >>>> Joe Astorino >>>> CCIE #24347 >>>> http://astorinonetworks.com >>>> >>>> "He not busy being born is busy dying" - Dylan >>> >>> >>> >>> >>> -- >>> Regards, >>> >>> Joe Astorino >>> CCIE #24347 >>> http://astorinonetworks.com >>> >>> "He not busy being born is busy dying" - Dylan >> >> >> >> -- >> Regards, >> >> Joe Astorino >> CCIE #24347 >> http://astorinonetworks.com >> >> "He not busy being born is busy dying" - Dylan >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, >> please visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com > > > > -- > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
