09-22-2018 08:42 PM - edited 09-24-2018 09:22 AM
Hello experts,
I have an ASA5510 (HQ) with two ASA5505 (BRs) connected via site2site vpn.
The 5510 use an outside interface for all tunnels. Each 5505 use one as well. Everything works fine.
Now I have one additional internet (for outside2) in one of 5505 (BR1). In this 5505 I just added to the crypto map (new sequence) the previous match address <VPN-BR1-TO-HQ>, set peer, transformation and a new crypto interface (outside2).
!
access-list VPN-BR1-TO-HQ extended permit ip object-group BR1-NETS object-group HQ-NETWORKS
!
crypto map VPN 1 match address VPN-BR1-TO-HQ
crypto map VPN 1 set peer 190.28.45.33 (same peer)
crypto map VPN 1 set ikev1 transform-set ESP-AES256-SHA
crypto map VPN interface outside
!
crypto map VPN 2 match address VPN-BR1-TO-HQ
crypto map VPN 2 set peer 190.28.45.33 (same peer)
crypto map VPN 2 set ikev1 transform-set ESP-AES256-SHA
crypto map VPN interface outside2
!
tunnel-group 190.28.45.33 type ipsec-l2l
tunnel-group 190.28.45.33 ipsec-attributes
ikev1 pre-shared-key ****
!
In the 5510 added a new crypto map sequence with the same <VPN-HQ-TO-BR1>, the new set peer, transformation and using the same interface outside.
!
access-list VPN-HQ-TO-BR1 extended permit ip object-group HQ-NETS object-group BR1-NETS
access-list VPN-HQ-TO-BR1 extended permit ip object-group BR2-NETS (other spoke) object-group BR1-NETS
!
!
crypto map VPN 1 match address VPN-HQ-TO-BR1
crypto map VPN 1 set peer 203.7.113.2
crypto map VPN 1 set ikev1 transform-set ESP-AES256-SHA
crypto map VPN 2 match address VPN-HQ-TO-BR1
crypto map VPN 2 set peer 198.55.100.2
crypto map VPN 2 set ikev1 transform-set ESP-AES256-SHA
crypto map VPN interface outside (same interface for both)
..
..
crypto map VPN <n>...
!
!
tunnel-group 203.7.113.2 type ipsec-l2l
tunnel-group 203.7.113.2 ipsec-attributes
ikev1 pre-shared-key ****
!
tunnel-group 198.55.100.2 type ipsec-l2l
tunnel-group 198.55.100.2 ipsec-attributes
ikev1 pre-shared-key ****
!
Something weird is happening. Both tunnels are formed, both pass phase 1 and phase 2 but tunnel 2 does not route the traffic.
If I disconnect tunnel 1, tunnel 2 continues up but does not route traffic. there is decaps but not encaps, same thing for encryption.
I discovered that if I delete the cryptomap 1 in the 5510, the tunnel 2 start to pass traffic (routing).
also works if I move the cryptomap 1 to 3 (in the 5510), tunnel 2 works fine, but now the cryptomap 3 does not.
In this scenario, only the first cryptomap defined works, the second doesn’t. Changing the order of definition, moving the “bad” crypto to the top (or above the good one) force this tunnel to work fine in detriment of the good one.
How can i fix this?
Its possible do that with a crypto dynamic-map ?. If so, how can be using only ikev1 ?.
Thanks,
RJB
Solved! Go to Solution.
09-25-2018 12:04 PM
Hello, I solved my issue changing the Proffered peer behavior. Deleting the second crypto map and just adding the second ip to the peer list.
!
crypto map VPN 1 match address VPN-HQ-TO-BR1
crypto map VPN 1 set peer 203.7.113.2 198.55.100.2
crypto map VPN 1 set ikev1 transform-set ESP-AES256-SHA
crypto map VPN interface outside (same interface for both)
..
..
09-25-2018 12:04 PM
Hello, I solved my issue changing the Proffered peer behavior. Deleting the second crypto map and just adding the second ip to the peer list.
!
crypto map VPN 1 match address VPN-HQ-TO-BR1
crypto map VPN 1 set peer 203.7.113.2 198.55.100.2
crypto map VPN 1 set ikev1 transform-set ESP-AES256-SHA
crypto map VPN interface outside (same interface for both)
..
..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide