Dynamic-maps on both sides are empty, is it OK?

I've  added  "sysopt connection reclassify-vpn" on both sides, but GRE did not get up.

Is reboot needed for applying?

Maybe something wrong in sysopt:

#show run all sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

sysopt connection permit-vpn

sysopt connection reclassify-vpn

sysopt connection preserve-vpn-flows

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt noproxyarp OUTSIDE

no sysopt noproxyarp DMZ

no sysopt noproxyarp test_vlan

no sysopt noproxyarp vlan_test_2

no sysopt noproxyarp local

no sysopt noproxyarp management

no sysopt noproxyarp outside2

Still assuming you are terminated the gre on a dynamic-map on 1 side. then you would have to clear local-host on the side with the dyn-map.

Can you provide sanitized show run?

Part of show run about crypto map:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP_1 65535 set transform-set ESP-DES-SHA ESP-DES-MD5

crypto map OUTSIDE_map 1 match address OUTSIDE_cryptomap_2

crypto map OUTSIDE_map 1 set peer x.x.x.x

crypto map OUTSIDE_map 1 set transform-set ESP-DES-SHA ESP-DES-MD5

crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map OUTSIDE_map interface OUTSIDE

crypto map outside2_map0 1 match address outside2_cryptomap

crypto map outside2_map0 1 set peer y.y.y.y

crypto map outside2_map0 1 set transform-set ESP-DES-SHA ESP-DES-MD5

crypto map outside2_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP_1

crypto map outside2_map0 interface outside2

Configs are the same on both side.

Would be good to get  a packet tracer taken from both sides

packet-tracer input rawip 47 detailled

New results are bellow

I recreate rules for interfaces, nothing changed, results:

1. GRE not up

asa1# packet-tracer input vlan102 rawip 192.168.7.1 47 192.168.3.2

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found flow with id 585511, using existing flow

Phase: 2

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INTERNET_access_out_2 out interface INTERNET

access-list INTERNET_access_out_2 extended permit ip any any

Additional Information:

Result:

input-interface: vlan102

input-status: up

input-line-status: up

Action: allow

asa2# packet-tracer input vlan_test_2 rawip 192.168.3.2 47 192.168$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found flow with id 503325, using existing flow

Result:

input-interface: vlan_test_2

input-status: up

input-line-status: up

Action: allow

2. GRE up

asa1# packet-tracer input vlan102 rawip 192.168.7.1 47 192.168.3.2

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found flow with id 586094, using existing flow

Phase: 2

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INTERNET_access_out_2 out interface INTERNET

access-list INTERNET_access_out_2 extended permit ip any any

Additional Information:

Result:

input-interface: vlan102

input-status: up

input-line-status: up

Action: allow

asa2# packet-tracer input vlan_test_2 rawip 192.168.3.2 47 192.168$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found flow with id 503586, using existing flow

Result:

input-interface: vlan_test_2

input-status: up

input-line-status: up

Action: allow

Hi Denis,

You may be running into this known issue:

CSCse36327

The workaround:

- For a dynamic crypto map, use a match address statement for the GRE traffic.

- If the crypto map and/or isakmp is removed and reapplied, perform a "clear local-host" after that.

On PIX/ASA 8.0.2 or above:

- Issue 'sysopt connection reclassify-vpn' (save the config) and re-establish any existing tunnels.

I am not sure if your code version is included here, but even if you were running 8.0.2 or above I would suggest adding the crypto ACL as following:

access-list match-gre extended permit ip host tunnel-source host tunnel-destination

crypto dynamic-map dyn_outside 5 match address match-gre

HTH.

Portu.

Please rate any helpful posts

Hello.

I've done next:

'sysopt connection reclassify-vpn' (save the config) and re-establish any existing tunnels.

to config:

access-list match-gre extended permit ip host 192.168.3.2 host 192.168.7.1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP_1 65535 match address match-gre

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP_1 65535 set transform-set ESP-DES-SHA ESP-DES-MD5

crypto map outside2_map0 1 match address outside2_cryptomap

crypto map outside2_map0 1 set peer y.y.y.y

crypto map outside2_map0 1 set transform-set ESP-DES-SHA ESP-DES-MD5

crypto map outside2_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP_1

crypto map outside2_map0 interface outside2

on each side.

clear crypto isakmp sa

clear crypto ipsec sa

clear conn addr 192.168.7.1

clear conn addr 192.168.3.2

I find one interesting thing:

One each ASA I have 2 ISP and routes:

route OUTSIDE 0.0.0.0 0.0.0.0 DG1 1
route outside2 0.0.0.0 0.0.0.0 DG2 15

route outside2 ASA2(ISP2) DG2 1
route OUTSIDE 192.168.6.0 255.255.255.0(gre1 point) DG1 1
route outside2 192.168.7.0 255.255.255.0 (gre2 point) DG2 1

After ouside2 shut/no shut, GRE2 not up, GRE1 is ok.

next I shutdown OUTSIDE, GRE1 down, but GRE2 goes UP.

After OUTSIDE no shut, GRE1 also goes UP, GRE2 - UP.

In this case channel reservation works, but why GRE2 not goes up after interfase up.

Thank you.

PS. Firmware version 8.2(5)      

Hello,

If someone could help on my query that wold be more graceful.

I would like to know how many site to site connections can make on cisco pix 515E and 525 firewalls ...

Please reply ...

Thanks & Regards,

Sreeram

2000 VPN tunnels on both PIX515E and PIX525, and

Here is the datasheet for your reference:

PIX515E:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/ps4094/product_data_sheet09186a0080091b15.html

PIX525:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/ps2118/product_data_sheet09186a0080091b09.html

Hope that helps.

Dear Jennifer,

Thanks for your quick reply and I confirmed the number of connections from the given above link.

Thank you very much...

sreeram

Dear Jennifer,

Can u tell me this 2000 connections are whether software connections or hardware in the end devices..??

I need to know can we make 2000 hardware to hardware connections ?

Please advice which would be the least hardware to be used at the other end..

What do you mean by hardware to hardware connections? Do you mean site-to-site (lan-to-lan) VPN tunnels?

How many site-to-site tunnels do you need?

Pls kindly be advised that all the PIX devices are EOL. Here is the EOL notification for your reference:

EOL for PIX515E:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notice0900aecd8073fa36.html

EOL for PIX525:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/end_of_life_notice_cisco_pix_525_sec_app.html