12-05-2017 11:50 PM - edited 03-12-2019 04:47 AM
we have a typical Dynamic to Static IPsec VPN setup between Site A(Hub) ASA and SiteB(Remote) ASA
The tunnel sets up fine when we initiate traffic from remote side.
Question Once tunnel is setup for a particular IPsec SA (Site B (Host A) to Site A (Server B)) can we initiate from the hub site to setup another totally different IPsec SA (SiteA (Server Y) to Site B(Host A)), or is this not supported and has to be first initiated from the Remote Side.
The scenario is we have a monitoring solarwinds at Hub site and would like to monitor Remote Nodes over the dynamic VPN.
Solved! Go to Solution.
12-06-2017 05:26 AM
Hello @trupeni2012,
Unfortunately, you cannot initiate the traffic from the Hub since you don´t have an ACL for that connection and for that reason you cannot send the traffic through the specific, the only way you can do it is to generate the traffic from the Remote end (Spoke) and after that you should be able to send traffic, in your case monitor with Solarwinds.
There is a way to avoid having a computer on the remote end sending traffic to keep the SA up and you can use your ASA for that with an script (EEM):
With this the ASA will send traffic through that specific SA and keep the VPN tunnel for monitoring purposes, also you can set the time for the packets :)
HTH
Gio
12-06-2017 02:16 AM
The ASA will establish an separate SA for every entry in the crypto-acl and in case of dynamic vpn only the hub can bring up the SA.
I think it is easier to clarify with an example:
access-list CRYPTOMAP-HUB line 1 extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
access-list CRYPTOMAP-HUB line 2 extended permit ip 10.0.0.0 255.0.0.0 192.168.2.0 255.255.255.0
If only traffic from 192.168.1.1 (Remote) will be initiated SA will come up and then traffic can also be initiated from 10.0.0.1 (Hub) to 192.168.1.1, but you could not initiate traffic from 10.0.0.1 to 192.168.2.1
12-06-2017 05:26 AM
Hello @trupeni2012,
Unfortunately, you cannot initiate the traffic from the Hub since you don´t have an ACL for that connection and for that reason you cannot send the traffic through the specific, the only way you can do it is to generate the traffic from the Remote end (Spoke) and after that you should be able to send traffic, in your case monitor with Solarwinds.
There is a way to avoid having a computer on the remote end sending traffic to keep the SA up and you can use your ASA for that with an script (EEM):
With this the ASA will send traffic through that specific SA and keep the VPN tunnel for monitoring purposes, also you can set the time for the packets :)
HTH
Gio
12-06-2017 01:43 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide