We recently replaced international MPLS with new ASA 5510s and site-to-site VPNs. However, when we deployed this we ran into a problem where each remote location has 2 ISPs for redundancy, but when enabling the VPN on both interfaces it flaps between the two and the tunnel is up and down as the tunnel gets torn down and moved between ISPs. Cisco has been working on this for 8 months now and we still don't have stable tunnels with multiple ISPs.
Remote Office:
access-list RWS_TUNNEL remark Interesting traffic for IND-RWS tunnel
access-list RWS_TUNNEL extended permit ip object-group BNG_tunnel_NETS object-group CORP_tunnel_NETS
crypto map RWS_TUNNEL 1 match address RWS_TUNNEL
crypto map RWS_TUNNEL 1 set peer 216.xxx.102.2
crypto map RWS_TUNNEL 1 set transform-set IND-RWS
tunnel-group 216.xxx.102.2 type ipsec-l2l
tunnel-group 216.xxx.102.2 ipsec-attributes
pre-shared-key *****
route outside 0.0.0.0 0.0.0.0 216.xxx.206.1 1 track 2
route outside2 0.0.0.0 0.0.0.0 182.xxx.26.229 100
sla monitor 55
type echo protocol ipIcmpEcho 63.251.61.142 interface outside
num-packets 5
timeout 1000
frequency 10
sla monitor schedule 55 life forever start-time now
track 2 rtr 55 reachability
Central office:
access-list BNG_TUNNEL remark Interesting traffic for IND-RWS tunnel
access-list BNG_TUNNEL extended permit ip object-group CORP_tunnel_NETS object-group BNG_tunnel_NETS
route outside2 0.0.0.0 0.0.0.0 216.xxx.102.1
crypto map BNG_TUNNEL 1 match address BNG_TUNNEL
crypto map BNG_TUNNEL 1 set peer 182.xxx.26.230 216.xxx.206.4
crypto map BNG_TUNNEL 1 set transform-set L2L
tunnel-group 182.xxx.26.230 type ipsec-l2l
tunnel-group 182.xxx.26.230 ipsec-attributes
pre-shared-key *****
tunnel-group 216.xxx.206.4 type ipsec-l2l
tunnel-group 216.xxx.206.4 ipsec-attributes
pre-shared-key *****
So what I've found is that when ISAKMP is enabled on both outside interfaces (remote office) and both IPs are configured as peers (central office) the VPN comes up successfully on both interfaces, but at some point will begin flapping between IPs. This is true with or without the SLA Monitoring, so even if the routes are all static, behaviour still occurs.
Any insight is appreciated.
Best Answer
I have been migrating sites away from policy-based VPNs for just this reason. Policy-based VPNs are too unpredictable when it comes to failover behavior. I much prefer route-based IPsec tunnels, either point-to-point or DMVPN. Unfortunately, to my knowledge the ASA platform still doesn't support route-based tunnels.