Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
229
Views
0
Helpful
1
Replies

Can only establish one SA on Dynamic IKEv2 VPN

casanavep
Level 3
Level 3

‎06-23-2016 06:50 AM

I am running a dynamic VPN, that establishes perfectly fine over NAT from a 5505 running 9.1 code to a 5515X running 9.1 code.  The issue that I have is, only the first attempted network SA will establish.  If the first packet from the remote is to a 172.x.x.x, an SA will establish to that and they will not be able to form an SA to the remote 10.x.x.x network.  If the first packets from the remote branch are destined to the hub side 10.x.x.x, that SA will form and work, but they will never be able to form an SA to the 172.x.x.x remote network.  

Configurations followed this guide exactly, with the exceptions of networks used, routes needed, no NAT statements not covered in the guide, etc..:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118652-configure-asa-00.html

Does anyone have any insight into what could be missing or ability to help diagnose?

Thanks all!!!!

Labels:
0 Helpful
1 Reply 1

casanavep
Level 3
Level 3

‎06-23-2016 08:29 AM

Resolved.  It turns out the Cisco did not validate their guide..... They had a client side command that had not been implemented at the hub/static side:

crypto map outside_map 1 set pfs group5

Removing this at the client side resolves the issues.

0 Helpful
Customers Also Viewed These Support Documents