Solved: From your config, ASAv1 has a

songyh068 · ‎01-13-2017

HI, I am studying ASA dynamic VPN

R5 is headquarter, R6 and R7 are branch

I succeed in ping test between headquarter and branches

(between R5 and R6), (between R5 and R7)

but I failed to ping test from branch to branch

(between R6 and R7)

here is tricky issue,

If at R6, I first ping R7, it is no problem, at R7 I can also ping R6

but

If I at R7 first ping R6, it is ping fail,

at R6 I Must to ping R7!!

please give me advise

I attached topology and ASA configuration

thank you

ASAv1

crypto ikev1 enable OUTSIDE

!

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

!

access-list ACL_R67 extended permit ip host 5.5.5.5 host 6.6.6.6

access-list ACL_R67 extended permit ip host 5.5.5.5 host 7.7.7.7

access-list ACL_R67 extended permit ip host 7.7.7.7 host 6.6.6.6

access-list ACL_R67 extended permit ip host 6.6.6.6 host 7.7.7.7

!

crypto ipsec ikev1 transform-set TSET esp-aes-256 esp-sha-hmac

!

crypto dynamic-map DMAP_R67 10 match address ACL_R67

crypto dynamic-map DMAP_R67 10 set ikev1 transform-set TSET

crypto dynamic-map DMAP_R67 10 set reverse-route

crypto map CMAP 10 ipsec-isakmp dynamic DMAP_R67

crypto map CMAP interface OUTSIDE

!

same-security-traffic permit intra-interface

!

ASAv2

crypto ikev1 enable OUTSIDE

!

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

!

access-list ACL_R57 extended permit ip host 6.6.6.6 host 5.5.5.5

access-list ACL_R57 extended permit ip host 6.6.6.6 host 7.7.7.7

!

crypto ipsec ikev1 transform-set TSET esp-aes-256 esp-sha-hmac

!

crypto map CMAP 10 match address ACL_R57

crypto map CMAP 10 set peer 1.1.14.1

crypto map CMAP 10 set ikev1 transform-set TSET

crypto map CMAP interface OUTSIDE

!

ASAv3

crypto ikev1 enable OUTSIDE

!

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

!

access-list ACL_R56 extended permit ip host 7.7.7.7 host 5.5.5.5

access-list ACL_R56 extended permit ip host 7.7.7.7 host 6.6.6.6

!

crypto ipsec ikev1 transform-set TSET esp-aes-256 esp-sha-hmac

!

crypto map CMAP 10 match address ACL_R56

crypto map CMAP 10 set peer 1.1.14.1

crypto map CMAP 10 set ikev1 transform-set TSET

crypto map CMAP interface OUTSIDE

!

Rahul Govindan · ‎01-14-2017

From your config, ASAv1 has a dynamic map. What this means that it cannot initiate from ASAv1 to any other peer by itself. Traffic from R6 to R7 will only work when both initiate traffic towards the other end.

So basically, the steps that you would need to take to have R6 to R7 connectivity:

1) Clear both tunnels

2) Ping R6 ro R7

3) Ping R7 to R6

After step 3, tunnels between R6 and R5 and R5 and R7 should be formed for the right SA's. After first ping fail, R7 will be able to ping R6 and vice versa.

In order to avoid this, you should use a static crypto map on the ASA to both peers.

View solution in original post

Rahul Govindan · ‎01-14-2017

From your config, ASAv1 has a dynamic map. What this means that it cannot initiate from ASAv1 to any other peer by itself. Traffic from R6 to R7 will only work when both initiate traffic towards the other end.

So basically, the steps that you would need to take to have R6 to R7 connectivity:

1) Clear both tunnels

2) Ping R6 ro R7

3) Ping R7 to R6

After step 3, tunnels between R6 and R5 and R5 and R7 should be formed for the right SA's. After first ping fail, R7 will be able to ping R6 and vice versa.

In order to avoid this, you should use a static crypto map on the ASA to both peers.

songyh068 · ‎01-15-2017

you mean that

in hub and spoke topology

I should use both dynamic crypto and static crypto

dynamic crypto is used for connection from headquarter to branches

static crypto is used for connection from branhes to branches(only at ASAv2, ASAv3)

is it right?

is it common config? I wonder many sites is configuated like above

and

I wonder what is common configuration method??

thank you

Rahul Govindan · ‎01-15-2017

The common configuration method is the doc provided by [@karsten.iwen] here:

https://supportforums.cisco.com/document/12015091/cisco-asa-vpn-spoke-spoke-communication-hub

The issue with having dynamic map on the hubs is that spoke to spoke communication depends on both the spokes initiating tunnels towards the hub. If only one spoke initiates the tunnel to the hub, spoke to spoke communication wont work.

ASA dynamic vpn branch to branch issue