IPSec VPN Configuration Example: Cisco 881 ISR


IPSec VPN Configuration Example: Cisco 881 ISR

This example illustrates how to configure two IPSec VPN tunnels from a Cisco 881 Integrated Services Router (ISR) to two Zscaler Enforcement Nodes (ZENs): a primary tunnel from the router to a ZEN in one data center and a secondary tunnel from the router to a ZEN in another data center.

A network diagram showing the primary and secondary IPSec tunnels from a Cisco ISR appliance to two Zscaler ZENs.

Zscaler IPSec tunnels support a limit of 200 Mbps for each public source IP address. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends configuring more IPSec VPN tunnels with different public source IP addresses. For example, if you organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two backup VPN tunnels. If your organization forwards 600 Mbps of traffic, you can configure three primary VPN tunnels and three backup VPN tunnels.

Organizations typically forward all traffic destined for any port to the Zscaler service. Alternatively, you can limit the traffic that you forward to Zscaler services to HTTP and HTTPS traffic (i.e., traffic destined for port 80 and port 443). Regardless, tunneling provides visibility into the internal IP addresses, which can be used for the Zscaler security policies and logging.

Prerequisites

Ensure you have the following information for setting up the IPSec VPN tunnels:

If you are unable to ping both ZEN IP addresses, please contact Zscaler Support.

Configuring the IPSec VPN Tunnel in the Zscaler Admin Portal

In this configuration example, the peers are using a FQDN and a pre-shared key (PSK) for authentication.

To configure the IPSec VPN tunnels in the Zscaler Admin Portal:

  1. Add the VPN Credential

You need the FQDN and PSK when linking the VPN credentials to a location and creating the IKE gateways.

  1. Link the VPN Credentials to a Location

Configuring the IPSec VPN Tunnel on Cisco 881 ISR

Choose one of the following Internet Key Exchange (IKE) versions and configure accordingly.

Zscaler recommends using IKEv2 because it's faster and simpler than IKEv1 and fixes IKEv1 vulnerabilities.

Troubleshooting

You can use the following troubleshooting commands while setting up the tunnels. Note the values in green while troubleshooting.

You must have a Cisco 881 ISR running Cisco IOS version 15.1.1T or later to configure IKEv2.

This section describes how to configure two IPSec VPN tunnels on Cisco 881 ISR running Cisco IOS 15.4(3)M3. Both tunnels must be configured at your gateway. Only a single tunnel is operational at any time. The second tunnel acts as a backup tunnel. This configuration uses CLI commands. To learn more about these commands, see the Cisco documentation.

You must provide the following information to configure the tunnels:

  • <FQDN> - The FQDN of the VPN credentials you created in the Zscaler Admin Portal.
  • <Pre-Shared Key> - The pre-shared key of the VPN credentials you created in the Zscaler Admin Portal.
  • <LAN Interface> - The LAN interface of the ISR.
  • <WAN Interface> - The WAN interface of the ISR.
  • <MTU> - The optimal MTU for the tunnels.
  • <Primary VPN IP Address> and <Backup VPN IP Address> - The IP addresses of the ZENs.
  • <Primary Global ZEN IP Address> and <Backup Global ZEN IP Address> - The global IP addresses of the ZENs.
  • <Exempted Server IP> - Traffic to this IP address or IP subnet won't be sent through the VPN tunnels to Zscaler. The IP address or IP subnet can be an internal server farm reachable through a router or an external public IP address that must be excluded from being routed through the tunnel.
  • <Zscaler Cloud> - Your Zscaler cloud name.

To configure the IPSec VPN tunnel on Cisco 881 ISR:

Configure the IKEv2 proposal to negotiate the IKEv2 SA in the IKE_SA_INIT exchange. The IKEv2 proposal defines the encryption algorithm, authentication method, data integrity algorithm, and Diffie-Hellman group parameters used for the IKE negotiation.

Enter the following commands:

crypto ikev2 proposal <Proposal Name>
 encryption aes-cbc-256
 integrity sha1
 group 14

You will need the <Proposal Name> for 2. Configure the IKEv2 Policy.

Configure the IKEv2 policy to associate with the IKEv2 proposal. The IKEv2 policy defines the proposal used during the IKE negotiation. You need the <Proposal Name> created in 1. Configure the IKEv2 Proposal.

Enter the following commands:

crypto ikev2 policy <Policy Name>
 match fvrf any
 proposal <Proposal Name>

Configure the IKEv2 key ring if the peer authentication method is a PSK.

Enter the following commands:

crypto ikev2 keyring <Key Ring Name>
 peer <Peer 1 Name>
  address <Primary VPN IP Address>
  pre-shared-key <Pre-Shared Key>
 peer <Peer 2 Name>
  address <Backup VPN IP Address>
  pre-shared-key <Pre-Shared Key>

You will need the <Key Ring Name> for 4. Configure the IKEv2 Profiles.

Configure two IKEv2 profiles to define the nonnegotiable parameters for the IKE SA. You need the <Key Ring Name> created in 3. Configure the IKEv2 Key Ring.

Enter the following commands:

crypto ikev2 profile <IKEv2 Profile 1 Name>
 match identity remote address <Primary VPN IP Address>
 identity local email <FQDN>
 authentication remote pre-share
 authentication local pre-share
 keyring local <Key Ring Name>
 lifetime 86400
 no config-exchange request
crypto ikev2 profile <IKEv2 Profile 2 Name>
 match identity remote address <Backup VPN IP Address>
 identity local email <FQDN>
 authentication remote pre-share
 authentication local pre-share
 keyring local <Key Ring Name>
 lifetime 86400
 no config-exchange request

You will need the <IKEv2 Profile 1 Name> and <IKEv2 Profile 2 Name> for 9. Configure the IPSec Profiles and 10. Create the Tunnel Interfaces.

Enter the following command:

crypto ikev2 dpd 10 5 periodic

Enter the following command:

crypto ikev2 nat keepalive 20

The IPSec transform set defines the encryption, authentication, and IPSec mode parameters for the IKE_AUTH exchange.

Enter the following commands:

crypto ipsec transform-set <Transform Set Name> esp-null esp-sha-hmac
 mode tunnel

Zscaler recommends using null encryption because it reduces the load on the local router for traffic destined for the Internet. If you want to use AES, you must purchase a separate subscription and use the esp-aes command.

You will need the <Transform Set Name> for 9. Configure the IPSec Profiles.

Enable IPSec fragmentation after the encryption.

Enter the following command:

crypto ipsec fragmentation after-encryption 

Configure two IPSec profiles to associate with your IKEv2 profiles. You need the <Transform Set Name> created in 7. Define the IPSec Transform Set and the <IKEv2 Profile 1 Name> and <IKEv2 Profile 2 Name> created in 4. Configure the IKEv2 Profiles.

Enter the following commands:

crypto ipsec profile <IPSec Profile 1 Name>
 set security-association lifetime seconds 28800
 set security-policy limit 1
 set transform-set <Transform Set Name>
 set ikev2-profile <IKEv2 Profile 1 Name>
crypto ipsec profile <IPSec Profile 2 Name>
 set security-association lifetime seconds 28800
 set security-policy limit 1
 set transform-set <Transform Set Name>
 set ikev2-profile <IKEv2 Profile 2 Name>

You will need the <IPSec Profile 1 Name> and <IPSec Profile 2 Name> for 10. Create the Tunnel Interfaces.

Create two tunnel interfaces that are associated with your IPSec and IKEv2 profiles. All traffic routed to the tunnel interface is encrypted and transmitted to the ZEN. Similarly, traffic from the ZEN is logically received on the interface. You can use the tunnel protection command to associate the interfaces with the Child SA.

You need the <IPSec Profile 1 Name> and <IPSec Profile 2 Name> created in 9. Configure the IPSec Profiles and the <IKEv2 Profile 1 Name> and <IKEv2 Profile 2 Name> created in 4. Configure the IKEv2 Profiles.

Enter the following commands:

interface <Primary Tunnel Interface>
 ip unnumbered <WAN Interface>
 ip mtu <MTU>
 ip tcp adjust-mss 1388
 tunnel source <WAN Interface>
 tunnel mode ipsec ipv4
 tunnel destination <Primary VPN IP Address>
 tunnel protection ipsec profile <IPSec Profile 1 Name> ikev2-profile <IKEv2 Profile 1 Name>
interface <Backup Tunnel Interface>
 ip unnumbered <WAN Interface>
 ip mtu <MTU>
 ip tcp adjust-mss 1388
 tunnel source <WAN Interface>
 tunnel mode ipsec ipv4
 tunnel destination <Backup VPN IP Address>
 tunnel protection ipsec profile <IPSec Profile 2 Name> ikev2-profile <IKEv2 Profile 2 Name>

You will need the <Primary Tunnel Interface> and <Backup Tunnel Interface> for 12. Define the Route Map and 14. Configure IP SLA for VPN Monitoring.

Create an ACL to send relevant traffic through the tunnel. Most organizations forward all traffic to Zscaler. You can use any of the following commands to configure your ACL:

  • If you want to send all traffic through the tunnel, enter the following:
access-list <ACL Number> permit ip any any
  • If you only want to send web traffic (i.e., HTTP and HTTPS) through the tunnel, enter the following:
access-list <ACL Number> permit tcp any any eq 80
access-list <ACL Number> permit tcp any any eq 443
  • If you want traffic to a web server to be exempted from going through the tunnel, enter the following:
access-list <ACL Number> deny ip any <Exempted Server IP>
access-list <ACL Number> permit tcp any any eq 80 
access-list <ACL Number> permit tcp any any eq 443

You will need the <ACL Number> for 12. Define the Route Map.

Define a route map that links the ACL with the tunnel interfaces. You need the <ACL Number> created in 11. Create the Access Control List (ACL) and the <Primary Tunnel Interface> and <Primary Tunnel Interface> created in 10. Create the Tunnel Interfaces.

Enter the following commands:

route-map <Route Map Name> permit 1
 match ip address <ACL Number>
 set interface <Primary Tunnel Interface> <Backup Tunnel Interface>

You will need the <Route Map Name> for 13. Configure Network Address Translation (NAT).

Configure NAT on the WAN and LAN interfaces.  You need the <Route Map Name> created in 12. Define the Route Map.

Enter the following commands:

interface <WAN Interface>
 description $ES_WAN$
 ip address 10.96.19.244 255.255.255.0
 ip access-group 100 in
 ip access-group 100 out
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
interface <LAN Interface>
 ip address 172.17.0.128 255.255.255.0
 ip access-group 100 in
 ip access-group 100 out
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map <Route Map Name>

The IP SLA monitor is used to provide a failover between the two tunnels. If the primary tunnel fails, the backup tunnel will be used automatically. Ensure the IP address used for VPN monitoring is reachable.

The IP SLAs below are defined as ip sla 1 and ip sla 2. You need the <Primary Tunnel Interface> and <Backup Tunnel Interface> created in 10. Create the Tunnel Interfaces.

If you use PAC files to forward traffic through the tunnel, ensure that you are use different Global ZEN IP addresses for IP SLA monitoring and your PAC files. Using the same Global ZEN IP addresses causes the PAC files to send all packets through the same tunnel regardless of the tunnel interface state.

Enter the following commands:

config IP SLA
track 1 ip sla 1 state
 delay down 180 up 180
track 2 ip sla 2 state
 delay down 180 up 180
ip route <Primary Global ZEN IP Address> 255.255.255.255 <Primary Tunnel Interface> permanent
ip route <Backup Global ZEN IP Address> 255.255.255.255 <Backup Tunnel Interface> permanent
ip sla 1
 http raw http://<Primary Global ZEN IP Address>:80
 http-raw-request
  GET http://gateway.<Zscaler Cloud>.net/vpntest HTTP/1.0\r\n
  User-Agent: Cisco IP SLA\r\n
  end\r\n
  \r\n
  exit
 threshold 300
 timeout 5000
ip sla schedule 1 life forever start-time now
ip sla 2
 http raw http://<Backup Global ZEN IP Address>:80
 http-raw-request
  GET http://gateway.<Zscaler Cloud>.net/vpntest HTTP/1.0\r\n
  User-Agent: Cisco IP SLA\r\n
  end\r\n
  \r\n
  exit
 threshold 300
 timeout 5000
ip sla schedule 2 life forever start-time now
ip sla reaction-configuration 1 react rtt threshold-value 300 1 threshold-type consecutive 3
ip sla reaction-configuration 2 react rtt threshold-value 300 1 threshold-type consecutive 3 

If you want to configure VPN monitoring for more tunnels, see additional Global ZEN IP addresses.

This section describes how to configure two IPSec VPN tunnels on Cisco 881 ISR running Cisco IOS 15.0. Both tunnels must be configured at your gateway. Only a single tunnel is operational at any time. The second tunnel acts as a backup tunnel. This configuration uses CLI commands. To learn more about these commands, see the Cisco documentation.

You must provide the following information to configure the tunnels:

  • <Primary VPN Hostname> and <Backup VPN Hostname> - The hostnames of the ZENs.
  • <Primary Global ZEN IP Address> and <Backup Global ZEN IP Address> - The global IP addresses of the ZENs.
  • <Pre-Shared Key> - The pre-shared key of the VPN credentials you created in the Zscaler Admin Portal.
  • <FQDN> - The FQDN of the VPN credentials you created in the Zscaler Admin Portal.
  • <LAN Interface> - The LAN interface of the ISR.
  • <WAN Interface> - The WAN interface of the ISR.
  • <MTU> - The optimal MTU for the tunnels.
  • <Zscaler Cloud> - Your Zscaler cloud name.
  • <Exempted Server IP> - Traffic to this IP address or IP subnet won't be sent through the VPN tunnels to Zscaler. The IP address or IP subnet can be an internal server farm reachable through a router or an external public IP address that must be excluded from being routed through the tunnel.

To configure the IPSec VPN tunnel on Cisco 881 ISR:

Configure a policy for the supported ISAKMP encryption, authentication Diffie-Hellman, lifetime and key parameters. There is a global list of ISAKMP policies, which are identified by sequence numbers.

Zscaler recommends defining the ISAKMP policy as policy 1 so the router evaluates the policy first and reduces the tunnel negotiation time to Zscaler.

Enter the following commands:

crypto isakmp policy 1  
encryption aes128  
authentication pre-share
hash sha  
group 2  
lifetime 86400  
exit​​​​​

Enter the following commands:

crypto isakmp keepalive 20 5 periodic  
crypto isakmp nat keepalive 20

Configure the IPSec peer for the IKE negotiation.

Enter the following commands:

crypto isakmp peer address <Primary VPN Hostname>
    set aggressive-mode password <Pre-Shared Key>
    set aggressive-mode client-endpoint user-fqdn <FQDN>
crypto isakmp peer address <Backup VPN Hostname>
    set aggressive-mode password <Pre-Shared Key>
    set aggressive-mode client-endpoint user-fqdn <FQDN> 

The IPSec transform set defines the encryption, authentication, and IPSec mode parameters.

Enter the following command:

crypto ipsec transform-set <Transform Set Name> esp-null esp-md5-hmac

Zscaler recommends using null encryption because it reduces the load on the local router/firewall for traffic destined for the Internet. If you want to use AES, you must purchase a separate subscription and use the esp-aes command.

You will need the <Transform Set Name> for 10. Define the Route Map.

Enable IPSec fragmentation after the encryption.

Enter the following command:

crypto ipsec fragmentation after-encryption

Configure the IPSec profile to associate with your transform set. The IPSec profile references the transform set and further defines the other parameters used, such as the security association lifetime.

You need the <Transform Set Name> created in 4. Define the IPSec Transform Set

crypto ipsec profile <IPSec Profile Name>
    set security-association lifetime seconds 28800
    set security-association idle-time 28800
    set transform-set <Transform Set Name>

You will need the <IPSec Profile Name> for 7. Create the Tunnel Interfaces.

Create two tunnel interfaces that are associated with your tunnels. All traffic routed to the tunnel interface is encrypted and transmitted to the ZEN. Similarly, traffic from the ZEN is logically received on the interface. You can use the tunnel protection command to associate the interfaces with the IPSec security association.

You need the <IPSec Profile Name> created in 6. Configure the IPSec Profile.

Enter the following commands:

interface <Primary Tunnel Interface>
	ip unnumbered <WAN Interface>
	tunnel source <WAN Interface>
	ip mtu <MTU>
	ip tcp adjust-mss 1388
	tunnel mode ipsec ipv4
   tunnel destination <Primary VPN Hostname>
	tunnel protection ipsec profile <IPSec Profile Name>
interface <Backup Tunnel Interface>
	ip unnumbered <WAN Interface>
	tunnel source <WAN Interface>
	ip mtu <MTU>
	ip tcp adjust-mss 1388
	tunnel mode ipsec ipv4
	tunnel destination <Backup VPN Hostname>
	tunnel protection ipsec profile <IPSec Profile Name>
exit

You will need the <Primary Tunnel Interface> and <Backup Tunnel Interface> for 8. Configure IP SLA for VPN Monitoring and 10. Define the Route Map.

The IP SLA monitor is used to provide a failover between the two tunnels. If the primary tunnel fails, the backup tunnel will be used automatically. Ensure the ZEN VIP address used for VPN monitoring is reachable.

The IP SLAs below are defined as ip sla 1 and ip sla 2. You need the <Primary Tunnel Interface> and <Backup Tunnel Interface> created in 7. Create the Tunnel Interfaces.

If you are using PAC files to forward traffic through the tunnel, ensure that you are using different Global ZEN IP addresses for IP SLA monitoring and your PAC files. Using the same Global ZEN IP addresses causes the PAC files to send all packets through the same tunnel regardless of the tunnel interface state.

Enter the following commands:

config IP SLA
ip route <Primary Global ZEN IP Address> 255.255.255.255 <Primary Tunnel Interface> permanent
ip route <Backup Global ZEN IP Address> 255.255.255.255 <Backup Tunnel Interface> permanent
track 1 ip sla 1 state
 delay down 180 up 180
track 2 ip sla 2 state
 delay down 180 up 180
ip sla 1
	 http raw http://<Primary Global ZEN IP Address>:443
		  timeout 5000	
	      threshold 300
	      http-raw-request
		       GET http://gateway.<Zscaler Cloud>.net/vpntest HTTP/1.0\r\n
		       User-Agent: Cisco IP SLA\r\n
		       end\r\n
  		       \r\n
 		       exit
	  exit
ip sla schedule 1 life forever start-time now
ip sla 2
	 http raw http://<Backup Global ZEN IP Address>:443
		 timeout 5000
        threshold 300
	     http-raw-request
		      GET http://gateway.<Zscaler Cloud>.net/vpntest HTTP/1.0\r\n
		      User-Agent: Cisco IP SLA\r\n
		      end\r\n
  		      \r\n
 		      exit
	     exit
ip sla schedule 2 life forever start-time now

If you want to configure VPN monitoring for more tunnels, see additional Global ZEN IP addresses.

Create an ACL to send relevant traffic through the tunnel. Most organizations forward all traffic to Zscaler. You can use any of the following commands to configure your ACL:

  • If you want to send all traffic through the tunnel, enter the following:
access-list <ACL Number> permit ip any any
  • If you only want to send web traffic (i.e., HTTP and HTTPS) through the tunnel, enter the following:
access-list <ACL Number> permit tcp any any eq 80
access-list <ACL Number> permit tcp any any eq 443
  • If you want traffic to a web server to be exempted from going through the tunnel, enter the following:
access-list <ACL Number> deny ip any <Exempted Server IP>
access-list <ACL Number> permit tcp any any eq 80 
access-list <ACL Number> permit tcp any any eq 443

You will need the <ACL Number> for 10. Define the Route Map.

Define a route map that links the ACL with the tunnel interfaces. You need the <ACL Number> created in 9. Configure the Access Control List (ACL).

Enter the following commands:

route-map <Route Map Name> permit 1
	match ip address <ACL Number>
	set ip next-hop verify-availability <Primary VPN Hostname> 1 track 1
	set ip next-hop verify-availability <Backup VPN Hostname> 2 track 2
exit
interface <LAN Interface>
	ip policy route-map <Route Map Name>

Enter the following commands to troubleshoot Phase 1 of the tunnel. The response shows an organization’s gateway with IKE configured correctly. The status value should be ACTIVE.

The <Customer IP> is the customer public IP address on the WAN interface of the ISR.

ciscoisr# show crypto isakmp sa    
IPv4 Crypto ISAKMP SA
dst 	                  src                 state              conn-id       status
<Primary VPN Hostname>	  <Customer IP>       QM_IDLE            2012          ACTIVE
<Backup VPN Hostname>     <Customer IP>       AG_INIT_EXCH       2011          ACTIVE

IPv6 Crypto ISAKMP SA

Enter the following commands to troubleshoot Phase 2 of the tunnel. The response shows an organization’s gateway with IKE configured correctly. Ensure that some packets are encapsulated and decapsulated for the primary and secondary tunnel and the inbound and outbound ESP SAs have an ACTIVE status. This indicates that traffic is flowing through the tunnel.

The <Corporate Public IP> is the IP address on the router from which the IPSec tunnel is established.

ciscoisr# show crypto ipsec sa 
interface: <Primary Tunnel Interface>	 
	Crypto map tag: Tunnel1-head-0, local addr: <Corporate Public IP> 
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)	   
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)	   
current_peer: <Primary VPN Hostname> port 500
	 PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: <Corporate Public IP>, remote crypto endpt.: <Primary VPN Hostname>

path mtu <MTU>, ip mtu <MTU>, ip mtu idb FastEthernet4
current outbound spi: 0xBDC1E53(198975059)
PFS (Y/N): N, DH group: none

inbound esp sas:
	spi: 0xDF685FC2(3748159426)
		transform: esp-aes128 esp-md5-hmac ,
		in use settings ={Tunnel, }
		conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: 
Tunnel1-head-0
		sa timing: remaining key lifetime (k/sec): (4552507/14113)
		IV size: 8 bytes
		replay detection support: Y
		Status: ACTIVE

	 inbound ah sas:

	 inbound pcp sas:
  
outbound esp sas:
	spi: 0xBDC1E53(198975059)
		transform: esp-null esp-md5-hmac ,
		in use settings ={Tunnel, }
		conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: 
Tunnel1-head-0
		sa timing: remaining key lifetime (k/sec): (4552507/14113)
		IV size: 8 bytes
		replay detection support: Y
		Status: ACTIVE

	 outbound ah sas:

	 outbound pcp sas:

interface: <Backup Tunnel Interface>	 
	Crypto map tag: Tunnel2-head-0, local addr: <Corporate Public IP> 
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)	   
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)	   
current_peer: <Backup VPN Hostname> port 500
	 PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: <Corporate Public IP>, remote crypto endpt.: <Backup VPN Hostname>

path mtu <MTU>, ip mtu <MTU>, ip mtu idb FastEthernet4
current outbound spi: 0xBDC1E53(198975059)
PFS (Y/N): N, DH group: none

	 inbound esp sas:
	 inbound ah sas:
	 inbound pcp sas:

	 outbound esp sas
	 outbound ah sas:
	 outbound pcp sas:

Enter the following commands to track the IP SLA status. The IP SLA reachability status indicates the tunnel monitoring results. Reachability is Down indicates the tunnel monitoring failed, while Reachability is Up indicates the tunnel monitoring is successful.

ciscoasa# show track
Track 1
 IP SLA 1 reachability
 Reachability is Down
	3 changes, last change 00:16:23
 Latest operation return code: Timeout
Track 2
 IP SLA 2 reachability
 Reachability is Up
	2 changes, last change 01:01:27
 Latest operation return code: OK
 Latest RTT (millisecs) 1

Enter the following command to view the IP SLA statistics:

ciscoisr# show ip sla statistics
IPSLAs Latest Operation Statistics

IPSLA operation id: 2
Number of successes: Unknown
Number of failures: Unknown
Operation time to live: 0


IPSLA operation id: 1
		Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: *02:29:07.511 UTC Mon Nov 10 2014
Latest operation return code: Timeout
Number of successes: 0
Number of failures: 2
Operation time to live: Forever

IPSLA operation id: 2
		Latest RTT: 1 milliseconds
Latest operation start time: *02:29:10.719 UTC Mon Nov 10 2014
Latest operation return code: OK
Number of successes: 2
Number of failures: 0
Operation time to live: Forever

Enter the following command to simulate a fail condition for the primary tunnel and verify that a failover to the backup tunnel occurs. If the failover is successful, the backup tunnel will have an UP-ACTIVE session status, and the primary tunnel will have a DOWN-NEGOTIATING session status.

ciscoisr# show crypto session
Crypto session current status

Interface: <Backup Tunnel Interface>
Session status: UP-ACTIVE
Peer: <Backup VPN Hostname> port 500
 IKEv1 SA: local <Corporate Public IP>/500 remote <Backup VPN Hostname>/500 Active
 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
		Active SAs: 2, origin: crypto map

Interface: <Primary Tunnel Interface>
Session status: DOWN-NEGOTIATING
Peer: <Primary VPN Hostname> port 500
 IKEv1 SA: local <Corporate Public IP>/500 remote <Primary VPN Hostname>/500 Inactive
 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
		Active SAs: 0, origin: crypto map