Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
605
Views
15
Helpful
4
Replies

VPN tunnel from ASA to 2 sites both having same destination private subnet i.e 172.16.1.0/24

Go to solution
Nitesh_A
Level 1
Level 1

‎01-09-2021 08:51 AM

Hello Experts,

 

Just want to know is it possible to establish tunnel from MAINOFFICE ASA(in diagram) to SITE1 ASA & SITE2 router. I know both wont be established at same time.

 

But what if MAINOFFICE ASA tunnel has been established with SITE1 and traffic is flowing fine.

Once i remove the peer by "no crypto map CMAP 10 set peer 2.2.2.3". 

 

So is it possible for the traffic to flow to SITE2 router because there is only one peer now i.e

"crypto map CMAP 20 set peer 3.3.3.3". I have attached my topology diagram where i was trying to accomplish the same but couldn't succeed.

Selection_024.png

 

 

Below snap has debug logs from SITE2 router.Selection_025.png

Thankyou

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎01-09-2021 02:29 PM

crypto map anyname set peer IP1 IP2 

since both IP1 & IP2 serve the same subnet.

View solution in original post

4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎01-09-2021 09:47 AM

Yes, it should work. I would do it a little different:

Scenario1:

Configure two EEM applets: One to remove the complete config for site 1 and adds the config for site two. And one with the oposite.

Scenario2:

Or even better, configure two route-based VPNs to both peers. These VPNs have no knowledge ot the connected networks and can be established at the same time. You only need a static route pointing to one or the other tunnel.

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-09-2021 02:29 PM

crypto map anyname set peer IP1 IP2 

since both IP1 & IP2 serve the same subnet.

Go to solution
Karsten Iwen
VIP
VIP
In response to MHM Cisco World

‎01-10-2021 01:39 AM - edited ‎01-10-2021 02:13 AM

@MHM Cisco World wrote:

crypto map anyname set peer IP1 IP2 

since both IP1 & IP2 serve the same subnet.

they serve the same subnet but not the same network. Putting both IPs in the same crypto-map sequence will not work here.

Go to solution
Nitesh_A
Level 1
Level 1
In response to Karsten Iwen

‎01-10-2021 02:10 AM

@MHM Cisco World Yes this worked.

Why it didn't work when i define crypto map CMAP 10 set peer 2.2.2.2 & crypto map CMAP 20 set peer3.3.3.3 in two seperate line?

 

WhatsApp Image 2021-01-10 at 8.39.08 AM.jpegWhatsApp Image 2021-01-10 at 8.42.37 AM.jpeg

 

@Karsten Iwen I dont know about route based vpn , i will read it and will try to accomplish by that way as well.

If you have a link where i can read, please share. Thankyou so much for the help

 

Thankyou

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card