Hello,
I have configuration or VTI's using BGP as a method for failover on many different deploys ( 1 isp to 2) (2 to 2isps, etc). They have all worked fine. Tonight I was setting this up as a conversion from CMAP and no failover. I noticed the BGP peer for the secondary tunnel wasnt coming up. I figured it would be a BGP issue. I checked the tunnel, it was up/up with phase 1 and phase 2 being up. I ping's the tunnel IP on the farside, nothing. OK, so The far side ASA has only 1 ISP, there is a host route to it over the primary ISP with tracking (other sites i've done have this as well) When I remove this route, the secondary VTI comes up and the first goes down, and BGP peers over it, whilst the primary peer fails. If I add the route back the opposite happens. This proves failover works, but not why the vti endpoint cant ping, the direct connected route is in the routing table, so It shouldnt try to route over the default... This is the only time i've ever had this problem.
ASA is running 9.12.3 originally then I updated to 9.14.1
I checked the other ASA's just to be sure and they all have a host route to the tunnel destination over 1 tracked static route, and both tunnel endpoints are pingable. The only thing I can think of is, urpf or something. it must be some sort of asymmetrical issue
No comments:
Post a Comment