01-18-2020 04:45 AM - edited 01-18-2020 04:55 AM
I have a branch office with an IPSec tunnel to the core data center. For the interesting traffic, it's the branch subnet (10.2.0.0/24) to 10.0.0.0/8.
This branch now has a need to reach another branch office, so rather than hairpin the traffic off the data center firewall, another IPSec tunnel was setup between the branches, with the interesting traffic being more specific (10.2.0.0/24 to 10.3.0.0/24). The second tunnel comes up, and I can see the ASA decapsulating the inbound traffic, but it appears the outbound traffic is traversing the first tunnel since the summary subnet covers the interesting traffic.
Is there a way to prevent this?
I adjusted the interesting traffic ACL on the first tunnel and added a deny 10.2.0.0/24 to 10.3.0.0/24 to the top, but it didn't resolve the issue. I was thinking a filter might do the trick, but I don't know if the filter will drop the traffic completely, or if the ASA would then try the second tunnel.
Denny
01-18-2020 05:18 AM
Hi,
For the VPN tunnel to the other branch sites, try changing the sequence number under the crypto map to be higher/more preferred. Thus the ASA will attempt to establish a tunnel to the more specific network first, before the DC.
HTH
01-18-2020 05:22 AM
I appreciate the quick reply.
Quick question, what if the data center tunnel happens to come up first, would the sequence still prevail when the branch to branch tunnel comes up?
Denny
01-18-2020 06:34 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide