Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2370
Views
15
Helpful
6
Replies

Applying two crypto map to same interface caused outage

Go to solution
mahesh18
Level 6
Level 6

‎05-05-2020 05:14 PM

Hi everyone,

 

Seems on Cisco ASA 8.2 we have remote vpn configured with crypto  map name VPN.

I did config for site to site IPSEC tunnel with new crypto map name L2L.

 

When i apply this new crypto map to the outside interface then old crypto map VPN was no longer applied to the

outside interface.

 

Need to confirm if this is by design?

 

Old crypto map policy number is 10

new crypto map plicy number was 20

 

Regards

Mahesh 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎05-06-2020 01:28 AM

Only one "crypto map <name>" can be applied to a given interface at one time.

As implied, we use sequence numbers within the crypto map to accommodate multiple distinct VPNs.

As long as the ACLs for matching ("interesting") traffic don't have any overlaps or conflicts it will work fine.

View solution in original post

6 Replies 6

Go to solution
kapydan88
Level 4
Level 4

‎05-05-2020 07:58 PM

Hello.

 

Yes, you can do this - but you need to increase sequence number - in my example its 10 and 20.

 

crypto map WAN_MAP 10 match address 123
crypto map WAN_MAP 10 set peer 3.13.24.2
crypto map WAN_MAP 10 set ikev1 transform-set dessha
crypto map WAN_MAP 10 set security-association lifetime seconds 28800
crypto map WAN_MAP 10 set security-association lifetime kilobytes 4608000
crypto map WAN_MAP 10 set reverse-route
crypto map WAN_MAP 20 match address 11
crypto map WAN_MAP 20 set pfs group14
crypto map WAN_MAP 20 set peer 9.16.43.8
crypto map WAN_MAP 20 set ikev2 ipsec-proposal AES256-SHA512
crypto map WAN_MAP 20 set security-association lifetime seconds 3600
crypto map WAN_MAP 20 set security-association lifetime kilobytes 4608000

 

crypto map WAN_MAP interface <outside interface name>

Go to solution
mahesh18
Level 6
Level 6
In response to kapydan88

‎05-05-2020 08:31 PM

I was asking if we can apply two different crypto map names to same interface?

for example

 

crypto map  test1

crypto map  test 2 

 

 

0 Helpful

Go to solution
kapydan88
Level 4
Level 4
In response to mahesh18

‎05-05-2020 08:37 PM

I was asking if we can apply two different crypto map names to same interface? - No.

Go to solution
mahesh18
Level 6
Level 6
In response to kapydan88

‎05-05-2020 09:41 PM

thanks for answering the question.

Currently we have sequence number 10 and 65535 for remote vpn users.

 

if i use sequence number 20  for IPSEC lan to lan tunnel then it should not cause any issues right?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎05-06-2020 01:28 AM

Only one "crypto map <name>" can be applied to a given interface at one time.

As implied, we use sequence numbers within the crypto map to accommodate multiple distinct VPNs.

As long as the ACLs for matching ("interesting") traffic don't have any overlaps or conflicts it will work fine.

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎05-06-2020 04:51 AM

Many Thanks Marvin.

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card