Issue/Introduction:
Deployment: Configure Cisco 1941 and SAML Authentication.
Task: Create an ISR backup peer, which prevents traffic from going to another data pod; all traffic must go same data pod.
For example
=================
443 -> Singapore
80 -> Singapore
8443 -> Singapore
=================
If you do not set default peer, the IPsec traffic might go to both Singapore and Tokyo.
For example
=================
443 -> Tokyo
80 -> Singapore
8443 -> Singapore
=================
TCP 443 traffic goes to the Tokyo data pod, which causes SAML Authentication to fail for port
443 traffic.
Cause:
The cause is the default peer is not set; for example:
=====
set peer 103.246.37.164
set peer 103.246.39.164
=====
Plus using three SA tunnels for
80,443 and 8443.For example:
=====
ip access-list extended TP_TRAFFIC
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
deny ip any any
=====
Resolution:
The following example configuration prevents this scenario.
Set up one SA tunnel for all traffic (80,443 and 8443) and set default peer; for example:
=====
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key <pre-shared-key> address wss_primary_IP_address
crypto isakmp key <pre-shared-key> address wss_backup_IP_address
crypto isakmp keepalive 10 periodic
crypto isakmp aggressive-mode disable
!
crypto ipsec transform-set CP-AES-SHA esp-aes esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer wss_primary_IP_address default
set peer wss_backup_IP_address
set security-association lifetime seconds 120
set ip access-group OUT-TRAFFIC out
set transform-set CP-AES-SHA
set pfs group5
match address IPSEC_TRAFFIC
!
ip access-list extended IPSEC_TRAFFIC
permit ip any any
!
ip access-list extended OUT-TRAFFIC
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
deny ip any any
!
.....