Well, thats a good point. I guess we will consider that instead of SD-Card.   Thanks Thomas ... View more

Hi Karsten, thanks for your reply. The problem is solved, I was not aware of the fact, that the management port also needs to have a link? Plugin a RJ45 into the Managmen0/0 and removing IP Addresses and Security Level solved it for me. Regards,   Thomas ... View more

Hello, I have a question about how to connect to the ASA-CX. The Problem is, that I need to connect to the ASA-CX over the internet. As described in the Guides, it is possible to access over the Management Port or from the Inside Network. Therefore I configured an Anyconnect VPN and changed the Management Interface to Inside, which makes it possible to connect to the ASDM & SSH to the ASA but not the ASA-CX. What I did is "session cxsc console --> setup" and configured an IP Address from the Inside Network. Is there any way to connect to the ASA-CX on that way? I really need a solution on that, as the ASA is located in Sweden and I don't have physical access to the device.   Best regards, Thomas ... View more

Hello and sorry to bring this old topic up again :-) I'm aware of the certificate group map feature but in our environment we are not able to use it, as the customer wants to use the option of "group-delimiter #" to make users fall into a special tunnel-group in some circumstances. I have heard, that you could name the tunnel-group the same as the OU-Field from the certificate to make users fall into that tunnel-group, is this correct and is there any documentation from cisco about that feature? I'm relatively new to ASA and what I have learned is, to use certificate group map :-) Thank you guys in advice. Best regards, Thomas ... View more

Hello Marcin, it is working now :-) First I was running a dual stacked spoke as well, but now I am using one IPv4 and one IPv6 only spoke. The ipsec profiles are "shared", because besides the two shown tunnels I have one more IPv4 and IPv6 Tunnel for Extranetuse. The Spoke sites use "shared" as well, because they build a backup VPN Tunnel to a second Hub router. I have removed the "keepalive 10 3" from my Tunnel interfaces and rebooted the routers and everything is working now. Here are my final configurations: Crypto crypto isakmp policy 10 encr aes 256 authentication pre-share group 14 crypto isakmp key cisco address 0.0.0.0         no-xauth crypto isakmp key cisco address ipv6 ::/0 no-xauth crypto isakmp keepalive 10 periodic crypto ipsec transform-set My-Set esp-aes 256 esp-sha512-hmac mode tunnel crypto ipsec profile My-Profile-v4 description ** IPsec Profile fuer IPv4 Peers ** set transform-set My-Set set pfs group2 crypto ipsec profile My-Profile-v6 description ** IPsec Profile fuer IPv6 Peers ** set transform-set My-Set set pfs group2 Tunnel Hub Dual Stacked interface Tunnel1 description ** DMVPN Intranet IPv4 ** bandwidth 1000 ip vrf forwarding VPN ip address 10.0.10.1 255.255.255.0 no ip redirects ip mtu 1416 no ip next-hop-self eigrp 65351 no ip split-horizon eigrp 65351 ip pim sparse-mode ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 360 ip nhrp shortcut ip nhrp redirect ip tcp adjust-mss 1360 load-interval 30 tunnel source GigabitEthernet0 tunnel mode gre multipoint tunnel key 1 tunnel protection ipsec profile My-Profile-v4 shared ! interface Tunnel2 description ** DMVPN Intranet IPv6 ** bandwidth 1000 ip vrf forwarding VPN ip address 10.0.12.1 255.255.255.0 ip mtu 1416 no ip next-hop-self eigrp 65351 no ip split-horizon eigrp 65351 ip pim sparse-mode ip nhrp map multicast dynamic ip nhrp network-id 2 ip nhrp holdtime 360 ip nhrp shortcut ip nhrp redirect ip tcp adjust-mss 1360 load-interval 30 tunnel source GigabitEthernet0 tunnel mode gre multipoint ipv6 tunnel key 2 tunnel protection ipsec profile My-Profile-v6 shared end Tunnel Spoke IPv4 interface Tunnel1 description ** DMVPN Intranet IPv4 ** ip vrf forwarding VPN ip address 10.0.10.2 255.255.255.0 no ip redirects ip mtu 1416 ip pim sparse-mode ip nhrp map 10.0.10.1 1.1.1.1 ip nhrp map multicast 1.1.1.1 ip nhrp network-id 1 ip nhrp holdtime 360 ip nhrp nhs 10.0.10.1 ip nhrp shortcut ip tcp adjust-mss 1360 delay 1000 tunnel source GigabitEthernet0 tunnel mode gre multipoint tunnel key 1 tunnel protection ipsec profile My-Profile-v4 shared end Tunnel Spoke IPv6 interface Tunnel1 description ** DMVPN Intranet IPv6 ** ip vrf forwarding VPN ip address 10.0.12.2 255.255.255.0 no ip redirects ip mtu 1416 ip pim sparse-mode ip nhrp map 10.0.12.1 2001:1:1:1::1 ip nhrp map multicast 2001:1:1:1::1 ip nhrp network-id 2 ip nhrp holdtime 360 ip nhrp nhs 10.0.12.1 ip nhrp shortcut ip tcp adjust-mss 1360 delay 1000 tunnel source GigabitEthernet0 tunnel mode gre multipoint ipv6 tunnel key 2 tunnel protection ipsec profile My-Profile-v6 shared end Thanks again Thomas ... View more