cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1270
Views
0
Helpful
6
Replies

Falling VPN tunnels

hepterida
Level 1
Level 1

Hi all,

I have a trouble with 2 IPSec tunnels on Cisco ASA 5510.

Both of them are Site-to-Site tunnels.

Both of them are established against the same public IP address on my site.

It looks like they cannot run steadily in the same time. It looks like when one of them is actived, the other one could not be up.

Is it some kind of limit of Cisco ASA? Or is it a philosophical issue? Thank you for any clue.

Device description:

General

  • ASA Version: 8.3(1)
  • ASDM Version: 6.3(1)
  • Firewall Mode: Routed
  • Device Type: ASA 5510, SSM CSC 10

License

  • License: Base
  • Physical Interfaces: Unlimited
  • VLANs: 50
  • Failover: Disabled
  • Security Contexts: 0
  • GTP/GPRS: Disabled
  • Encryption: 3DES-AES
  • VPN Peers: 250
  • SSL VPN Peers: 2
6 Replies 6

fb_webuser
Level 6
Level 6

Why are we creating 2 tunnel for the same public IP.

---

Posted by WebUser Jeet Kumar from Cisco Support Community App

We have one interface with public IP and many partners.

That is why we use tunnels from partners' public IP addresses to our public IP address.

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

If you mean that you have two remote sites that are connecting to your site with L2L VPN, this should be no problem.

If you are configuring 2 L2L VPNs towards the same remote VPN peer IP then I guess its normal operation (that they dont work at the same time). To be honest I was under the impression you can't even configure 2 L2L VPNs with both ends IP address the same.

On ASA though you can configure one L2L VPN connection with multiple peer IP addresses, though I have never tried this.

Hi,

exactly, we have two L2L VPN.

1: subject_A to our_outside_interface_IP

2: subject_B to our_outside_interface_IP

When a traffic is arranged between subject_A and us, subject_B fall down even if they transfer data or not at the moment.

This is the shot from "Connection Profiles" in "Site-to-Site VPN" configuration on Cisco ASA (through ASDM)

NameInterfaceLocal NetworkRemote NetworkEnabledGroup Policy
subject_Aour_outside_interface_IPour_internal_IP_adresssubject_A_LANYESDfltGrpPolicy
subject_B

our_outside_interface_IP

our_external_IP_rangesubject_B_LANYESDfltGrpPolicy

Hi,

Ok. so 2x L2L VPN to two different sites.

Should be no problem with the idea of the setup naturally.

Seems other connection  (A) on your end uses NAT0 for the traffic. I mean it seems to me that you are showing your local LAN network with their original address.

The other connection (B) seems to use some external public IP address range on your end which is visible to the remote network

Is it possible for you to attach some configurations here so I/We could go through those?

- Jouni

Hi,

yes it looks little strange to me :-)

Philosophical background:


Subject_A - its LAN users are directly connected to our information system in DMZ through the IPSec tunnel.

Subject_B - our users are directly connected to its LAN through the IPSec tunnel.

Configuration extracts:

object-group network subject_A

network-object subject_A_LAN subject_A_MASK

object-group service subject_A tcp

port-object eq port_number

port-object eq port_number

port-object eq port_number

object-group network subject_A

network-object host subject_A_IP

object service subject_B_LAN_IP

service tcp source eq port

object-group network subject_B_LAN

network-object subject_B_LAN subject_B_MASK

network-object subject_B_LAN subject_B_MASK

network-object subject_B_LAN subject_B_MASK

network-object subject_B_LAN subject_B_MASK

network-object subject_B_LAN subject_B_MASK

network-object subject_B_LAN subject_B_MASK


access-list out extended permit tcp host subject_A_IP object our_server eq port_number

crypto map vpnmap value set peer subject_A_IP

tunnel-group subject_A_IP type ipsec-l2l

tunnel-group subject_A_IP ipsec-attributes

pre-shared-key value_of_PSK


tunnel-group subject_B_IP type ipsec-l2l

tunnel-group subject_B_IP ipsec-attributes

pre-shared-key value_of_PSK

isakmp keepalive disable


access-list outside_cryptomap extended permit ip our_external_IP_range object-group subject_B_LAN

access-list in extended permit tcp object our_internal_IP_range object-group subject_B_LAN

crypto map vpnmap 1 match address outside_cryptomap

crypto map vpnmap 1 set peer subject_B_IP

crypto map vpnmap 1 set transform-set set


crypto map vpnmap value match address outside_1_cryptomap_1

crypto map vpnmap value set peer subject_A_IP

crypto map vpnmap value set transform-set set

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy value

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400