I am experiencing something of a similar problem, although this involves a client with multiple IPsec VPNs to remote sites.

When we implemented the second VPN using the 'any' clause in the crypto ACL we suddenly lost traffic to the first site, which also included an 'any' clause in the their crypto ACL.

The original tunnel remained up but no traffic was going through.  Eventually we had to roll back the changes on the second tunnel in order to restore traffic to the first VPN.

Any idea on what caused this to happen?  And what can we do to provide full tunnels to the sites while continuing to direct traffic to the proper sites?

Hi Christine,

Can you provide your crypto related configuration and what configuration you added for the second tunnel ?

Regards,

Puneesh

Please rate helpful posts

Hi Puneesh.

I've attached a file with the pertinent crypto information.

Here is the chronological sequence of events:

Four sites were involved: Oregon (the hub) and the UK, N. Calif., and S. Calif. (spokes).  N. Calif. and S. Calif. are full tunnels so that Internet-destined traffic traverses the tunnel.  Remote sites could only access selected resources behind the hub firewall.

Everything was working fine up to the point of the change.  What the client desired was for the remote sites to be able to access resources at other remote sites and maintain connectivity to the Internet using the full tunnels.  (Generally speaking the clients within the company would be able reach any other resource within the company no matter where located).

The changes had been made to the UK a month ago and it was working properly. 

We commenced to make the changes to N. Calif. and it appeared to be working correctly (Users could reach corporate resources and reach Internet sites).

We then proceeded to make the changes to S. Calif. but the tunnel would not come back up.

Somewhere in here it was noticed that we had lost connectivity to the UK which, as I mentioned, had been working correctly to this point.  The tunnel to the UK was still up but no traffic was flowing across.  It was noted that traffic was flowing out from the UK but no return traffic (i.e. from Oregon to UK) was going across the tunnel.

At this point we rolled back the changes for S. Calif. and N. Calif. and the UK began receiving traffic again.  S. Calif. also began transmitting traffic using the pre-change configuration.

Our suspicion is that the NAT statements that we put in 'grabbed' all of the traffic and directed it towards N. Calif., but we were not able to diagnose since we had rolled back.

I am also a little suspicious of the sequence of the crypto ACLs but unable to confirm.

We proposed site-to-site VPNs but auditing requirements stipulate that Internet traffic go through an IPS located behind the hub firewall.

So, the question is: how can we allow site-to-site communications between the spokes yet allow Internet (any) traffic through the hub.

Thanks.