Cloud Service: Configure Cisco 1941 ISR backup peer configuration when using SAML Authentication

book

Article ID: 168772

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Deployment: Configure Cisco 1941 and SAML Authentication.
Task: Create an ISR backup peer, which prevents traffic from going to another data pod; all traffic must go same data pod.

For example
=================
443 -> Singapore
80 -> Singapore
8443 -> Singapore
================= 

If you do not set default peer, the IPsec traffic might go to both Singapore and Tokyo.
For example
=================
443 -> Tokyo
80 -> Singapore
8443 -> Singapore
================= 

TCP 443 traffic goes to the Tokyo data pod, which causes SAML Authentication to fail for port 443 traffic.
 
 

Cause

The cause is the default peer is not set; for example:
=====
set peer 103.246.37.164
set peer 103.246.39.164
=====

Plus using three SA tunnels for 80,443 and 8443.
For example:
=====
ip access-list extended TP_TRAFFIC
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
deny   ip any any
=====

Resolution

The following example configuration prevents this scenario.

Set up one SA tunnel for all traffic (80,443 and 8443) and set default peer; for example:
=====
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
crypto isakmp key <pre-shared-key> address wss_primary_IP_address 
crypto isakmp key <pre-shared-key> address wss_backup_IP_address 
crypto isakmp keepalive 10 periodic 
crypto isakmp aggressive-mode disable 
!
crypto ipsec transform-set CP-AES-SHA esp-aes esp-sha-hmac 
no crypto ipsec nat-transparency udp-encaps 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer wss_primary_IP_address default
set peer wss_backup_IP_address
set security-association lifetime seconds 120  
set ip access-group OUT-TRAFFIC out
set transform-set CP-AES-SHA  
set pfs group5  
match address IPSEC_TRAFFIC 
!
ip access-list extended IPSEC_TRAFFIC
permit ip any any
!
ip access-list extended OUT-TRAFFIC
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
deny   ip any any
!
.....