Was just about to start migrating my tunnels from policy to VTIs and saw this limitation, then found this old post. I have less than 100 currently, but I could see myself using more in the future. Is this just an arbitrary software limitation?
... View more
Thank you for the responses. The problem ended up being that this shoddy AT&T U-verse DSL modem/router device acts as a NAT router even when in semi bridge mode. By putting the ASA into the DMZPlus mode, any device connected to the U-verse router can have NAT performed against it, and any ports NOT used by those devices is forwarded to the ASA by default.
Before the DMZPlus was activated for the ASA, it was connected through and NAT'd behind the U-verse router. Its outside interface had a DHCP address within the U-verse router's internal IP address pool. Apparently the traffic flow for this tunnel started and had a NAT session opened up to that tunnel destination with a source of the original NAT'd IP address. After the DMZPlus mode, the ASA now showed it had the public IP address for its DHCP address, but the NAT session remained in the U-verse router's NAT memory. Any port 500 traffic from the tunnel destination ended up trying to get NAT'd to the old IP address and did not get properly routed to the ASA. It was a fluke that one tunnel worked and one didn't.
Rebooting the U-verse router resolved the issue. Yay consumer gear.
... View more