10-17-2010 07:17 PM - edited 02-21-2020 04:54 PM
Hi All,
I have a Cisco ASA 5520 at Headoffice - and third party devices at branch offices. VPNs are configured such that traffic is only defines at Branch office end, at ASA crypto map - Traffic is defined as any to any. This is to avoid creating configs over and over again at ASA side when adding new sites, so that it can reuse existing policies and crypto maps.
But i have noticed for some VPNs - Users are unable to ping a server in any specific range say - 192.X.X.X. if i restart the tunnel or device at branch office its again accessible.
Is there anything that its idle timing out or any config i need to change.
Anybody has seen this and any remedy?
Thanks
10-17-2010 07:21 PM
If i am not clear VPN at branch site has lets say few subnets defined:
10.X.X.X
172.X.X.X
192.X.X.X
while others keep on working 192 or 172 or any one goes missing while others are still there. So it drops only subnet not the whole n/w. I think its dropping rarely used ones. When i logon from ASDM and monitor VPN - it doenst show all subnets. ASA drops VPN to those subnets.
any advise how to cure this?
10-17-2010 08:25 PM
Unfortunately you can't have "permit ip any any" for the crypto ACL for all peers/tunnels, as the unique crypto ACL defines which peer/tunnel the encrypted tunnel should be sent to. Hence you can't have overlapping subnets for each VPN peer. Native IPSec VPN is not routing base unfortunately, that's why you would need to define the exact subnets to identify which tunnel/peer to encrypt and send the traffic to, as the IPSec SA is created based on that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide