Solved: Re: IPsec with dynamic map

ronald.su · ‎10-13-2020

tricky thing...

office A and office B connected with a ipsec vpn. office A has static public IP, office B using a dynamic public IP.

so we have to using dynamic crypto map on the vpn config. (ipsec device is ASA5525X)

office A has subnets A1 and A2, office B has subnet B1

issue:

A1 is server subnet, users in office B will connect the A1 frequently。So A1 can ping B, vice versa。

BUT A2 not able to ping B until B ping A2.

it seems at first beginning between A2 and B's tunnel is not up. need B (dynamic IP site) send a network packet to "turn on" the tunnel.

test:

if a clear the sa.

Do: B ping A1 -> ok.

and then: A1 ping B -> ok

and then: A2 ping B -> timeout

and then: B ping A2 -> ok then A2 ping B ->ok

very confused...

any idea ? thanks

MHM Cisco World · ‎10-14-2020

One Tunnel but different SA,

do you config any per-host under the dynamic?

you see if you have multi host with one tunnel NO per-host only on SA will get

if you have multi host with one tunnel per-host multi SA will get,

and again we return to first point WHO initiated the traffic.

View solution in original post

Mohammed al Baqari · ‎10-13-2020

The dynamic map side (subnet B) has to initiate first fori A2 and A1 to be
able to ping B. It can't happen the other way because site A doesn't know
the IP of site B. Best option is to configure IP SLA (or any other
monitoring) to regularly ping the gateways of A1 and A2. This will keep the
tunnels up all the time.

**** please remember to rate useful posts

ronald.su · ‎10-14-2020

thanks for your reply, I did make the sla monitor to try to send the icmp packet to make the tunnel up,

but not work, the icmp packet never send out. both inside and outside tried. it's seems all the operations skipped:

ASA(config)# show sla monitor operational-state
Entry number: 10
Modification time: 19:16:31.296 UTC Tue Oct 13 2020
Number of Octets Used by this Entry: 1480
Number of operations attempted: 23
Number of operations skipped: 23
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 19:20:11.300 UTC Tue Oct 13 2020
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0 RTTMin: 0 RTTMax: 0
NumOfRTT: 0 RTTSum: 0 RTTSum2: 0

ronald.su · ‎10-14-2020

the sla monitor seems not work, I think it's not able to hit the VPN access-list, so it cannot send the packet to A2 via VPN.

now I using a work around way: set snmp trap on the ASA (office B), and point to some IP in A1 and A2, so the VPN down, the ASA will send snmp packet to A2, that make the connection up again...

MHM Cisco World · ‎10-13-2020

IPSec need source and destination for isakmp, and these source and destination IP address is config via set peer

now, for dynamic crypto map there is no set peer so the side you config dynamic don’t have IP address of destination and tunnel never up, so dynamic crypto side never initiated tunnel isakmp.

Hope this clear for you.

ronald.su · ‎10-13-2020

I understand, but office A and B have only 1 IPsec tunnel, So in my understanding when A1 can ping B, means the ipsec vpn tunnel is up. why A2 not able to ping B until B send a packet to A2 ?

there using different tunnel or sa ???

and if I group the A1 and A2 up to an object group, and config the access-list by object group, is thats help ?

thanks

MHM Cisco World · ‎10-14-2020