Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1190
Views
0
Helpful
3
Replies

Enabling new S2S Crypto Map breaks my AnyConnect config

Go to solution
Eric Snijders
Level 1
Level 1

‎10-16-2019 11:41 PM - edited ‎02-21-2020 09:46 PM

Hi all,

I'm not that experienced with all the Group Policies, Tunnel-Groups and Crypto-maps yet, but i'm trying to learn. In this case, i wanted to make a new IKEv2 IPsec Site-2-Site tunnel. I've created the NAT Exempt, the Phase 1 and 2 Policies but as soon as i "activate" the Crypto map, my AnyConnect connection (that's running on the same ASA ofcourse) instantly breaks down. Trying to log back in gives me a message of incorrect ciphers. I'm trying to understand why, but can't find it yet.

This is the current Crypto Map config:

FIREWALL101# show run crypto map
crypto map Internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map KPN_WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map AZURE-TUN-MAP 1 match address Internet_cryptomap_2
crypto map AZURE-TUN-MAP 1 set peer X.X.X.X
crypto map AZURE-TUN-MAP 1 set ikev1 transform-set AZURE-TRANSFORM
crypto map AZURE-TUN-MAP 65535 ipsec-isakmp dynamic Internet_dyn_map
crypto map AZURE-TUN-MAP interface Internet

That is also the current config for a IKEv1 tunnel to Azure. Now, i created the following config for a new IKEv2 tunnel to Azure:

crypto map AZURE_NON_PROD 2 match address S2S_AZURE_NON_PROD
crypto map AZURE_NON_PROD 2 set peer X.X.X.X
crypto map AZURE_NON_PROD 2 set ikev2 ipsec-proposal AES256-SHA256

But as soon as i enter the following command, my AnyConnect connection instantly breaks down:

crypto map AZURE_NON_PROD interface Internet

If anyone would be able to explain to me why this is happening, i would be really happy. I definitely know it's just the experience/knowledge i don't have yet, but i don't really understand why this would break my Remote Access VPN while trying to enable a Site-2-Site tunnel.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎10-18-2019 06:07 AM

The reason it is breaking is because your AnyConnect configuration is associated with AZURE-TUN-MAP . The site to site VPN you have configured there would also stop working.  To keep this working you will either need to move the new IKEv2 vpn to AZURE-TUN-MAP or the site2site and AnyConnect to AZURE_NON_PROD.  Once you enter the command "crypto map AZURE_NON_PROD interface Internet" you overwrite the one already configured.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marius Gunnerud
VIP
VIP

‎10-18-2019 06:07 AM

The reason it is breaking is because your AnyConnect configuration is associated with AZURE-TUN-MAP . The site to site VPN you have configured there would also stop working.  To keep this working you will either need to move the new IKEv2 vpn to AZURE-TUN-MAP or the site2site and AnyConnect to AZURE_NON_PROD.  Once you enter the command "crypto map AZURE_NON_PROD interface Internet" you overwrite the one already configured.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Eric Snijders
Level 1
Level 1
In response to Marius Gunnerud

‎10-18-2019 06:35 AM

Hi Marius,

 

Ah, now i see. Does that basically means you can only have 1 "active" Crypto Map, albeit with multiple entries?

Thank you very much for the help.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Eric Snijders

‎10-18-2019 07:12 AM

Correct. As you say one crypto map, per interface, with multiple entries.
--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents