06-01-2016 11:04 AM
Hello.
I have the strange situation where a vpn-filter created for a single tunnel actually affects multiple tunnels. On the same device, I have configured a vpn-filter for a third tunnel which seems to operate independently without issue or overlap.
I have created unique group-policies, specified those policies on a per tunnel basis, and should see that each filter only affects the tunnel it was configured for.
The only commonality I can see between the two tunnels affected by the same filter is that they connected to two different devices in the same remote public subnet. I'm beginning to think there is some kind of classfull bias.
Has anyone else experienced this on an ASA 5510?
06-01-2016 05:25 PM
Hi David,
It should not ideally happen.
Could you share the sanitized the config of the device ?
Regards,
Aditya
Please rate helpful posts and mark correct answers.
06-07-2016 07:33 AM
Here is the config related to the VPN tunnels. I've grouped the crypto map, group-policy, and tunnel-group entries into per vpn tunnel sets.
Tunnel One and Tunnel Two are the ones that are both affected by Tunnel One's vpn filter, while Tunnel Three operates independently as expected.
crypto map cryptomapping 3 match address map_S2S_TunnelThree_Prime
crypto map cryptomapping 3 set peer 333.333.333.333
crypto map cryptomapping 3 set ikev1 transform-set redacted
crypto map cryptomapping 3 set ikev2 ipsec-proposal redacted
group-policy S2S_TunnelThree_Prime internal
group-policy S2S_TunnelThree_Prime attributes
vpn-filter value filter_S2S_TunnelThree_Prime
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 333.333.333.333 type ipsec-l2l
tunnel-group 333.333.333.333 general-attributes
default-group-policy S2S_TunnelThree_Prime
tunnel-group 333.333.333.333 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
crypto map cryptomapping 10 match address map_S2S_TunnelOne_Prime
crypto map cryptomapping 10 set peer 111.111.111.111
crypto map cryptomapping 10 set ikev1 transform-set redacted
crypto map cryptomapping 10 set ikev2 ipsec-proposal redacted
crypto map cryptomapping 10 set ikev2 pre-shared-key *****
crypto map cryptomapping 10 set security-association lifetime seconds 28800
crypto map cryptomapping 10 set reverse-route
group-policy S2S_TunnelOne_Primary internal
group-policy S2S_TunnelOne_Primary attributes
vpn-filter value filter_S2S_TunnelOne_Prime
tunnel-group 111.111.111.111 type ipsec-l2l
tunnel-group 111.111.111.111 general-attributes
default-group-policy S2S_TunnelOne_Primary
tunnel-group 111.111.111.111 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
crypto map cryptomapping 1 match address map_S2S_TunnelTwo_TeleCon
crypto map cryptomapping 1 set peer 222.222.222.222
crypto map cryptomapping 1 set ikev1 transform-set redacted
crypto map cryptomapping 1 set ikev2 ipsec-proposal redacted
crypto map cryptomapping 1 set ikev2 pre-shared-key *****
crypto map cryptomapping 1 set reverse-route
group-policy S2S_TunnelTwo_TeleCon internal
group-policy S2S_TunnelTwo_TeleCon attributes
vpn-filter value filter_S2S_TunnelTwo_TeleCon
tunnel-group 222.222.222.222 type ipsec-l2l
tunnel-group 222.222.222.222 general-attributes
default-group-policy S2S_TunnelTwo_TeleCon
tunnel-group 222.222.222.222 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
06-03-2016 09:11 AM
Hello David,
I know that you clarified that you created a new GP and assigned the VPN filter to it, the only way the VPN filter would be populated to all of the tunnels is by assigning this VPN filter to the default group policy, but this is not the case. I would recommend you to delete the tunnel group, GP, and create that once again, and add the VPN filter to it, run packet tracers and make sure the VPN filter is only added to that SA. Please attach the pertinent show tech or show run, so we can take a look to it,
Thanks,
David Castro,
02-13-2019 01:23 PM
This is very old. Either way, my questions would be:
vpn-filter value filter_S2S_TunnelTwo_TeleCon --- where and how is this acl configured?
default-group-policy S2S_TunnelOne_Primary ---- where and how is this GP configured?
vpn-filter value filter_S2S_TunnelThree_Prime --- where and how is this acl configured?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: