Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1222
Views
0
Helpful
7
Replies

Dynamic VPN query

mukundh86
Level 1
Level 1

‎06-10-2011 06:40 PM

Hi all

I have a small doubt with respect to the number of sessions a dynamic VPN can have. I have two private networks 10.0.0.1 and 10.0.0.2 trying to dynamic VPN to the network. Everything works fine but whenever the communication to 10.0.0.1 and 10.0.0.2 os happening simultaneously, it works well for like 15 minutes and then communication to one of the networks drop.

I tries it with associating the ACLs for permitting the traffic of these private networks to the same dynamic crypto map and I also tried creating two different dynamic crypto maps for these networks, but it didn't help.

Is there a way to go about this or is it that Cisco supports only one dynamic VPN session.

Mukundh

Labels:
0 Helpful
7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-13-2011 05:00 AM

Cisco devices supports multiple dynamic VPN sesssion, however, the private networks need to be unique.

Currently as per your description, the network is 10.0.0.1 which overlaps with 10.0.0.2.

You only need 1 dynamic map and the one dynamic map can be accessed by multiple dynamic peers. However, each remote subnets need to be unique otherwise, there will be overlapping.

0 Helpful

mukundh86
Level 1
Level 1
In response to Jennifer Halim

‎06-13-2011 06:34 PM

Hi Jennifer

Thanks for the reply. Sorry for the mistake . The subnet masks used for the 10.x networks in the above post is 255.255.255.0.

Unfortunately I donot have debugs corresponding to the event of the VPN tunnels failing. Any suggestions as to any specific debugs to run . I was thinking of running "debug crypto isakmp"

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to mukundh86

‎06-13-2011 07:18 PM

Sorry, just want to clarify, do you mean it's 10.0.1.0/24 and 10.0.2.0/24?

Yes, please kindly run the following 2 debugs:

debug cry isa

debug cry ipsec

on both the VPN server as well as the VPN remote end.

0 Helpful

mukundh86
Level 1
Level 1
In response to Jennifer Halim

‎06-14-2011 04:58 PM

Yes both networks are 10.0.0.1/24 and 10.0.0.2/24.

The thing is I donot have control of the device on the remote end. Also the device at the remote end is a Linksys RV-042.  am not sure if we can reun debugs on it.

I am in control of the Cisco 2811 on the other end. Is there a way to run debugs just  on the Dynamic VPN peers as the  Cisco router is also doing static VPN with 20 other peers.

Mukundh

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to mukundh86

‎06-14-2011 10:43 PM

Looks like you got the subnet wrong It should be 10.0.1.0/24 and 10.0.2.0/24, right? Otherwise 10.0.0.1 and 10.0.0.2 belongs to the same subnet.

0 Helpful

mukundh86
Level 1
Level 1
In response to Jennifer Halim

‎06-15-2011 02:02 AM

Oops. My bad. Reallyt apologize for this silly mistake of mine. I had a typo in my previous messages. The networks are 10.0.1.0/24, 10.0.2.0/24 and 10.0.3.0/24 right from the start. Again I apologize.

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to mukundh86

‎06-30-2011 12:41 PM

Hi Mukundh,

I am assuming the 2811 is the hub end (with the dynamic crypto map) the the RV042 is the remote end.

I do not think a subnet overlap is causing the issues you are seeing. What we need to look at is what is happening when traffic stops passing to one of the networks?

> Do the encrypts and decrypts counters increase on the 2811 router? You can verify this running the command show cry ipsec sa and see if the counters increment.

> Is the VPN tunnel status UP on both ends or does one of the sides think the tunnel has gone down?

Regards,

Prapanch

0 Helpful
Customers Also Viewed These Support Documents