Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1269
Views
0
Helpful
3
Replies

Two IPSec tunnels, wrong tunnel being used

jokes54321
Level 1
Level 1

‎01-18-2020 04:45 AM - edited ‎01-18-2020 04:55 AM

I have a branch office with an IPSec tunnel to the core data center. For the interesting traffic, it's the branch subnet (10.2.0.0/24) to 10.0.0.0/8.

 

This branch now has a need to reach another branch office, so rather than hairpin the traffic off the data center firewall, another IPSec tunnel was setup between the branches, with the interesting traffic being more specific (10.2.0.0/24 to 10.3.0.0/24). The second tunnel comes up, and I can see the ASA decapsulating the inbound traffic, but it appears the outbound traffic is traversing the first tunnel since the summary subnet covers the interesting traffic.

 

Is there a way to prevent this?

 

I adjusted the interesting traffic ACL on the first tunnel and added a deny 10.2.0.0/24 to 10.3.0.0/24 to the top, but it didn't resolve the issue. I was thinking a filter might do the trick, but I don't know if the filter will drop the traffic completely, or if the ASA would then try the second tunnel.

 

Denny

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎01-18-2020 05:18 AM

Hi,

For the VPN tunnel to the other branch sites, try changing the sequence number under the crypto map to be higher/more preferred. Thus the ASA will attempt to establish a tunnel to the more specific network first, before the DC.

 

HTH

0 Helpful

jokes54321
Level 1
Level 1
In response to Rob Ingram

‎01-18-2020 05:22 AM

I appreciate the quick reply.

 

Quick question, what if the data center tunnel happens to come up first, would the sequence still prevail when the branch to branch tunnel comes up?

 

Denny

0 Helpful

Rob Ingram
VIP
VIP
In response to jokes54321

‎01-18-2020 06:34 AM

That's a very good point, if the DC VPN is establish first then the branch traffic will match the remote proxy ID and be sent via the DC.

The alternative I can think of is, on the branch sites instead of using 10.0.0.0/8 for the DC networks, define an network objects using a range which specifically excludes the branch site network(s). Reference the objects in the crypto ACL used to define the interesting traffic.

HTH
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card