Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2306
Views
0
Helpful
4
Replies

Bridge Groups using Easy VPN - 5506X

mawright1
Level 1
Level 1

‎11-02-2017 09:19 AM - edited ‎02-21-2020 06:37 AM

 Hello, I'm trying to configure a bridge group  for example:

 

interface BVI2
nameif inside
security-level 100
ip address xx.xx.xx.xx xxx.xxx.xxx.x

 

interface GigabitEthernet1/2
bridge-group 2
nameif inside_2
security-level 100

interface GigabitEthernet1/3
bridge-group 2
nameif inside_3
security-level 100

interface GigabitEthernet1/4
bridge-group 2
nameif inside_4
security-level 100

interface GigabitEthernet1/5
bridge-group 2
nameif inside_5
security-level 100

interface GigabitEthernet1/6
bridge-group 2
nameif inside_6
security-level 100

interface GigabitEthernet1/7
bridge-group 2
nameif inside_7
security-level 100

interface GigabitEthernet1/8
bridge-group 2
nameif inside_8
security-level 100

 

But i also have easy VPN setup, so when i enter 'vpnclient enable' i get this message.

 

'Unable to determine Easy VPN Remote internal and external interfaces: multiple interfaces with the same security levels'

 

which is fair enough!! 

 

but i want to know how to get around this issue, as I want to configure the port to effectively work as switchports but i cannot activate the VPN. 

 

Thanks.

 

 

6 people had this problem
Labels:
0 Helpful
4 Replies 4

mawright1
Level 1
Level 1

‎01-12-2018 02:44 AM

Can anyone assist with is? 

 

I need to know how to configure bridge groups (switchports) but also use EZVPN.

 

Please.

0 Helpful

Filippo Carzaniga
Level 1
Level 1
In response to mawright1

‎03-07-2018 02:14 AM

 I did a research in Cisco  internal database and I was able to find that this is a limitation on the ASA. There is an enhancement request already opened but I don’t know when there will be a fix.

According to Cisco database both 9.7 and 9.8 version codes are affected.

 

Please find below a direct link to the enhancements:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd79307 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd98614

 

As a workaround you can configure a Site to Site with Dynamic peer in case your ASA has  public IP address dynamic.

 

 

0 Helpful

Noclss2000
Level 1
Level 1
In response to Filippo Carzaniga

‎06-14-2019 12:28 PM - edited ‎06-14-2019 12:28 PM

Looks like this is still an issue even with 9.10(1)22.

We have exhausted all of our 5505's being given out to home users and others who occasionally work from home. We are receiving requests to provide more and at this point, we have zero options. We tried the ISR1111 and those don't even do vpnclient, only server. I thought the 5506-x would be ok once we did the bridge-group to get around the routed interfaces, but now we are hitting this issue. this stinks, come on cisco!

0 Helpful

Rob Ingram
VIP
VIP
In response to Noclss2000

‎06-14-2019 12:43 PM

@Noclss2000 I see no reason why the ISR1111 cannot be used for home users. Do you want to clarify your issue in more detail?

 

The 5506X series is now EOL, checkout the new Firepower 1000 series appliances this new hardware with FTD 6.5 code due for release later this year should also allow for switchport interfaces.

 

HTH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card