6 Replies Latest reply on Jan 9, 2014 10:31 AM by noor

    IP load sharing with VPN

    kchasta1n New Member

      I started with a 3448 and a single ISP on ETH 0/1. Firewall and VPN up and running on ISP #1.

      A second ISP is connected to ETH 0/2. The doc Configuring IP Load Sharing in AOS - Quick Configuration Guide.pdf

      is referenced to attempt to load share across the (2) ISP's. When I add the default route for ISP #2, the VPN traffic stops.

      Anyone have experience with this problem?

        • Re: IP load sharing with VPN
          jayh Hall_of_Fame

          with a lan-to-lan VPN, you'll need to build a second tunnel from the other end to the IP of ISP #2 and include its interface in your crypto map.  

            • Re: IP load sharing with VPN
              kchasta1n New Member

              In this case I am attempting to load-share outbound internet traffic only. The VPN is configured only on ETH0/2. I have added a static route to force the VPN traffic out ETH0/2 and have used the reverse-route command. Occasionally the VPN traffic stops and I will delete the static route to ETH0/1 and the VPN traffic is restored. Any idea as to why the VPN traffic stops?

                • Re: IP load sharing with VPN
                  jayh Hall_of_Fame

                  kchasta1n wrote:

                   

                  In this case I am attempting to load-share outbound internet traffic only. The VPN is configured only on ETH0/2. I have added a static route to force the VPN traffic out ETH0/2 and have used the reverse-route command. Occasionally the VPN traffic stops and I will delete the static route to ETH0/1 and the VPN traffic is restored. Any idea as to why the VPN traffic stops?

                   

                  Was the static route you added for the /32 public crypto endpoint of the VPN or for the protected inside traffic?  You might need to add one for each, both to force the VPN tunnel to establish over the proper interface and to steer the protected traffic toward the interface with the crypto map.  Use the ISP next-hop off of eth 0/2 as the target. 

                   

                  What static route do you have on ETH0/1 ?

                   

                  When the VPN traffic stops is the crypto tunnel still up?