I'll have a problem to configure VPN Ipsec l2l between my CISCO ASA 5510 with HA and a remote lan configured with 2 cisco router with HSRP on lan.
I'll configure a static crypto map with the definition of the two peer (master and backup).
Sometimes happen that the vpn is instaured with the backup router. The phase2 is up but no traffic pass between the two net
Why do you add two peers? On the ASA you only need one, the VIP.
As you know, in a specific HSRP group there is one VIP, this is going to be considered the VPN peer.
Please let me know.
Please rate any helpful posts
As I understood you have an active/standby failover cluster on the ASA side and then a HSRP cloud for the local area network on the router's side. But for the WAN side you are using 2 different broadcast domain. That is why you have 2 crypto-map peers and 2 tunnel-groups on your asa, Correct?
Now, can you check if you have the same crypto ACL for both peers??? If possible post the configuration from the active ASA and the 2 routers.
Hi how Julio said
I have the HSRP only on the router on the LAN side.
My ASA configuration is the following
access-list aclVpn extended permit ip 172.20.0.0 255.255.0.0 172.16.10.0 255.255.255.0
access-list nonat extended permit ip 172.20.0.0 255.255.0.0 172.16.10.0 255.255.255.0
crypto map cryptosede 1 match address aclVpn
crypto map cryptosede 1 set peer peerHDSL peerADSL
crypto map cryptosede 1 set transform-set fimuset
crypto map cryptosede 1 set security-association lifetime seconds 28800
tunnel-group peerHDSL type ipsec-l2l
tunnel-group peerHDSL 1 ipsec-attributes
tunnel-group peerADSL type ipsec-l2l
tunnel-group peerADSL ipsec-attributes
Do you think that I need to create two separate ACL and crypto map?
Sometimes happen that the vpn comes up on both router and traffic are split (trasmission packet are on one peer and received packet on the otherone)
No, on the ASA side you are fine.
Now on the router side is where you need 2 as you have 2 outside WAN interfaces.
Are you using 2 broadcast domain on the router side?
Remember to rate all of the helpful posts ( if you need to know how to rate the posts let me know )