Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
558
Views
0
Helpful
2
Replies

Site-to-Site VPN upgrade from 8.2 --> 8.3 --> 8.4

Go to solution
Alan Herriman
Level 1
Level 1

‎08-21-2012 07:46 AM

Hello all,

I done some searching to find where my mistake is, but I have come up empty so I was hoping someone might be able to shed some light on the situation. I recently just upgraded an ASA from 8.2 up to 8.4 (8.4(4)1 to be specific). We have two site-to-site VPNs coming into the ASA and one of the VPNs came up and the other did not. It looks like it is not even getting to the isakmp exchange. However I noticed that one ASA is setup with the crypto map that points to a ACL using and object-group and the one that is working uses a crypto map that points to an object network. Should the auto convertion process of upgrading the code converted the object-group to an object network or is this still a valid way to define interesting traffic on the ASA?

Also for my NAT statement to exempt traffic I have seen many people using the identity nat without the no-proxy-arp and route-lookup additions and some with. Which is the correct way in 8.4? Any information would be very much appreciated!

Best Regards,

Alan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎08-21-2012 08:11 PM

Hello Alan,

The route-lookup is for a bug when you are unable to ping the inside interface from the other side of the tunnel.

Now as long as the crypto ACL is properly set does not matter if you are using one of the other...

You can share both site to site configs and I can check them if you like

Please rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎08-21-2012 08:11 PM

Hello Alan,

The route-lookup is for a bug when you are unable to ping the inside interface from the other side of the tunnel.

Now as long as the crypto ACL is properly set does not matter if you are using one of the other...

You can share both site to site configs and I can check them if you like

Please rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Alan Herriman
Level 1
Level 1
In response to Julio Carvajal

‎08-22-2012 04:53 AM

Hi Julio,

Thanks for the response I rechecked the crypto map acls and discovered they were not the same on both end of the VPN tunnel. There was also a routing problem so traffic wasn't necessarily routing properly to the VPN tunnel. Thanks for your suggestion it helped!

Best Regards,

Alan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents