Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1075
Views
0
Helpful
4
Replies

ASDM over L2L

Erik-234577235
Level 1
Level 1

‎05-27-2012 02:10 PM

hi,

I have 4 branch-offices connected via L2L to the main office (all 5505, 8.4.3)

When I compare the running configs, they look very similar, and so they should, because the branch-asas are all configured identically (internal IPs are different, outside is dhcp).

My problem is, that I cannot connect via asdm to some devices sometimes. They are all configured identically.

The worst case is, that 1 device is sometimes reachable and sometimes not.

Same thing with ICMP... sometimes I can ping an asa, sometimes not.

Is there a way how I can set the device to recognize the packets correct?

thx

DN

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎05-27-2012 11:25 PM

Since your branch ASA outside interface is running on DHCP, when the VPN tunnel is down, the first connection needs to be initiated from the branch subnet. This is why you sometimes can't access the branch site because the main office can't initiate the VPN tunnel if the VPN tunnel to branch is down or if the SA has expires. To keep the tunnel up at all time, you can use probe/continuous ping/etc so you can always access the branch office. However, if the branch DHCP ip changes, then the first connection needs to be initiated from the branch.

Hope this answers your question.

0 Helpful

Erik-234577235
Level 1
Level 1
In response to Jennifer Halim

‎05-27-2012 11:28 PM

Hi Jennifer,

thx for you answer. This might generally be true, but not in my case.

The tunnel is up and I reach the systems beyond the asas.

Even when the ping is running, I cannot access the asa.

Logout the asa from vpn and reconnect doesn't work. Tunnel comes up, but asa stays non-reachable.

thx

DN

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Erik-234577235

‎05-27-2012 11:31 PM

I assume that you access the ASA inside interface IP that is part of the crypto ACL, has "management-access inside" configured, and also "http inside" all configured?

Can you please share your config if the above has been configured?

0 Helpful

Erik-234577235
Level 1
Level 1
In response to Jennifer Halim

‎05-27-2012 11:53 PM

Hi Jennifer,

it doesn't matter if I access the asa over the public ip or the internal.

With the internal ip it's most of the time not reachable, and over the public ip the asa is reachable as long as the tunnel is not up. As soon the tunnel is up, access over the public ip is not possible any more.

Config:

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

DN

0 Helpful
Customers Also Viewed These Support Documents