02-22-2016 05:47 AM
What happens when an ASA receives a VPN initiation request from a remote end (AWS) from a secondary connection. Will ASA try to form VPN tunnel with primary IP or secondary IP?
ASA has sort of following configuration (putting only relevant configuration)
!
crypto map outside_map 1 set peer P.P.P.P S.S.S.S
!
tunnel-group P.P.P.P type ipsec-l2l
tunnel-group P.P.P.P ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group S.S.S.S type ipsec-l2l
tunnel-group S.S.S.S ipsec-attributes
ikev1 pre-shared-key *****
!
TIA,
Nikhil
02-22-2016 06:38 AM
Hello,
The tunnel will be established with the first ip that you have configured if the tunnel is successfully established is going to leave the second ip as the backup is not going to try to establish a tunnel with that ip until the primary tunnel goes down. It's important to configure keep alives so you can monitor the remote peer an identify when is down if the remote peer stop replaying the keep alives the ASA will turn down the tunnel and try to bring it back up with the secondary ip. If you receive a request from the secondary ip the ASA will accept it and form the tunnel but that's only when the primary is not active, you shouldn't get a request from the secondary if the primary is up.
Regards, please rate!
02-22-2016 07:43 AM
Thanks for your response.
I understood, how ASA initiates the traffic and establishes the tunnel. But in case when ASA is responder and assume traffic is coming from other end primary connection but ASA has listed it as secondary peer, then how ASA would handle that?
02-22-2016 12:54 PM
It will establish the tunnel it will match the crypto map and bring the tunnel up even if is listed as secondary.
02-23-2016 02:58 AM
Could you please also let me know, what would be the default connection type for the above ASA (having 2 peers listed inside same crypto map sequence)
I could not find it from CLI and guessing it is working in 'Originate' mode and I am planning to set it in 'Bidirectional' mode.
!
crypto map outside_map 1 set connection-type bidirectional
!
02-23-2016 04:07 AM
Documentation says, by default the mode is 'Bidirectional'.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c6.html#pgfId-2477607
Also I could confirm it using command
sh run all crypto map
I put it over here, so that in future someone could use it.
02-23-2016 08:28 PM
Is the same behavior as having just one peer the default is bidirectional
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide