cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2035
Views
0
Helpful
4
Replies

Bridge Groups using Easy VPN - 5506X

mawright1
Level 1
Level 1

 Hello, I'm trying to configure a bridge group  for example:

 

interface BVI2
nameif inside
security-level 100
ip address xx.xx.xx.xx xxx.xxx.xxx.x

 

interface GigabitEthernet1/2
bridge-group 2
nameif inside_2
security-level 100

interface GigabitEthernet1/3
bridge-group 2
nameif inside_3
security-level 100

interface GigabitEthernet1/4
bridge-group 2
nameif inside_4
security-level 100

interface GigabitEthernet1/5
bridge-group 2
nameif inside_5
security-level 100

interface GigabitEthernet1/6
bridge-group 2
nameif inside_6
security-level 100

interface GigabitEthernet1/7
bridge-group 2
nameif inside_7
security-level 100

interface GigabitEthernet1/8
bridge-group 2
nameif inside_8
security-level 100

 

But i also have easy VPN setup, so when i enter 'vpnclient enable' i get this message.

 

'Unable to determine Easy VPN Remote internal and external interfaces: multiple interfaces with the same security levels'

 

which is fair enough!! 

 

but i want to know how to get around this issue, as I want to configure the port to effectively work as switchports but i cannot activate the VPN. 

 

Thanks.

 

 

4 Replies 4

mawright1
Level 1
Level 1

Can anyone assist with is? 

 

I need to know how to configure bridge groups (switchports) but also use EZVPN.

 

Please.

 I did a research in Cisco  internal database and I was able to find that this is a limitation on the ASA. There is an enhancement request already opened but I don’t know when there will be a fix.

According to Cisco database both 9.7 and 9.8 version codes are affected.

 

Please find below a direct link to the enhancements:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd79307 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd98614

 

As a workaround you can configure a Site to Site with Dynamic peer in case your ASA has  public IP address dynamic.

 

 

Looks like this is still an issue even with 9.10(1)22.

We have exhausted all of our 5505's being given out to home users and others who occasionally work from home. We are receiving requests to provide more and at this point, we have zero options. We tried the ISR1111 and those don't even do vpnclient, only server. I thought the 5506-x would be ok once we did the bridge-group to get around the routed interfaces, but now we are hitting this issue. this stinks, come on cisco!

@Noclss2000 I see no reason why the ISR1111 cannot be used for home users. Do you want to clarify your issue in more detail?

 

The 5506X series is now EOL, checkout the new Firepower 1000 series appliances this new hardware with FTD 6.5 code due for release later this year should also allow for switchport interfaces.

 

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: