Cloud Service: Configure Cisco 1941 ISR backup peer configuration when using SAML Authentication
Article ID: 168772
Updated On:
Products
Web Security Service - WSS
Issue/Introduction
Deployment: Configure Cisco 1941 and SAML Authentication.
Task: Create an ISR backup peer, which prevents traffic from going to another data pod; all traffic must go same data pod.
For example
If you do not set default peer, the IPsec traffic might go to both Singapore and Tokyo.
For example
TCP 443 traffic goes to the Tokyo data pod, which causes SAML Authentication to fail for port 443 traffic.
Task: Create an ISR backup peer, which prevents traffic from going to another data pod; all traffic must go same data pod.
For example
=================
443 -> Singapore
80 -> Singapore
8443 -> Singapore
=================
443 -> Singapore
80 -> Singapore
8443 -> Singapore
=================
If you do not set default peer, the IPsec traffic might go to both Singapore and Tokyo.
For example
=================
443 -> Tokyo
80 -> Singapore
8443 -> Singapore
=================
443 -> Tokyo
80 -> Singapore
8443 -> Singapore
=================
TCP 443 traffic goes to the Tokyo data pod, which causes SAML Authentication to fail for port 443 traffic.
Cause
The cause is the default peer is not set; for example:
Plus using three SA tunnels for 80,443 and 8443.
For example:
=====
set peer 103.246.37.164
set peer 103.246.39.164
=====
set peer 103.246.37.164
set peer 103.246.39.164
=====
Plus using three SA tunnels for 80,443 and 8443.
For example:
=====
ip access-list extended TP_TRAFFIC
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
deny ip any any
=====
ip access-list extended TP_TRAFFIC
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
deny ip any any
=====
Resolution
The following example configuration prevents this scenario.
Set up one SA tunnel for all traffic (80,443 and 8443) and set default peer; for example:
Set up one SA tunnel for all traffic (80,443 and 8443) and set default peer; for example:
=====
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key <pre-shared-key> address wss_primary_IP_address
crypto isakmp key <pre-shared-key> address wss_backup_IP_address
crypto isakmp keepalive 10 periodic
crypto isakmp aggressive-mode disable
!
crypto ipsec transform-set CP-AES-SHA esp-aes esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer wss_primary_IP_address default
set peer wss_backup_IP_address
set security-association lifetime seconds 120
set ip access-group OUT-TRAFFIC out
set transform-set CP-AES-SHA
set pfs group5
match address IPSEC_TRAFFIC
!
ip access-list extended IPSEC_TRAFFIC
permit ip any any
!
ip access-list extended OUT-TRAFFIC
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
deny ip any any
!
.....
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key <pre-shared-key> address wss_primary_IP_address
crypto isakmp key <pre-shared-key> address wss_backup_IP_address
crypto isakmp keepalive 10 periodic
crypto isakmp aggressive-mode disable
!
crypto ipsec transform-set CP-AES-SHA esp-aes esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer wss_primary_IP_address default
set peer wss_backup_IP_address
set security-association lifetime seconds 120
set ip access-group OUT-TRAFFIC out
set transform-set CP-AES-SHA
set pfs group5
match address IPSEC_TRAFFIC
!
ip access-list extended IPSEC_TRAFFIC
permit ip any any
!
ip access-list extended OUT-TRAFFIC
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
deny ip any any
!
.....
Feedback
Yes
No
Powered by
