Hello,

Im facing some problems with ipsec vpn dynamic - static setup.

I have working traffic over ipsec with one of my prefixes but cant add second one.

For sanity i have removed configuraton not relevant and replaced IPs/object names byt bogus ones.

Dynanic site:

crypto map VPN 20 match address DYNAMIC-SITE

access-list DYNAMIC-SITE extended permit ip object A object B 
access-list DYNAMIC-SITE extended permit ip object A object C

nat (A-IF,outside) source static A A destination static B B route-lookup
nat (A-IF,outside) source static A A destination static C C route-lookup

Static site:

crypto dynamic-map DYNAMIC-MAP 20 match address STATIC-SITE

access-list STATIC-SITE extended permit ip object B object A
access-list STATIC-SITE extended permit ip object C object A

nat (B-IF,VL3999_INTERNET) source static B B destination static A-NAT A
nat (C-IF,VL3999_INTERNET) source static C C destination static A-NAT A

Now, when i clear the ikev2 or ipsec peer it only allows the first served prefix.

Example:

We clear ipsec and start with A > B.

DYNAMIC-SITE A > STATIC-SITE B

This brings up A - B communication but it never opens up A-C.

But it never opens up for DYNAMIC-SITE  A > STATIC-SITE C

Now we clear ipsec again and start with A > C.

DYNAMIC-SITE A > STATIC-SITE C

This brings up A - C communication but it never opens up A-B.

I have debug ipsec 255 on both sides and never see a trace of the non functional traffic.

I can however see in asp drops that it is denied by configured rule.. what am i missing?....

BR,

Cristian