10-13-2020 01:39 AM
tricky thing...
office A and office B connected with a ipsec vpn. office A has static public IP, office B using a dynamic public IP.
so we have to using dynamic crypto map on the vpn config. (ipsec device is ASA5525X)
office A has subnets A1 and A2, office B has subnet B1
issue:
A1 is server subnet, users in office B will connect the A1 frequently。So A1 can ping B, vice versa。
BUT A2 not able to ping B until B ping A2.
it seems at first beginning between A2 and B's tunnel is not up. need B (dynamic IP site) send a network packet to "turn on" the tunnel.
test:
if a clear the sa.
Do: B ping A1 -> ok.
and then: A1 ping B -> ok
and then: A2 ping B -> timeout
and then: B ping A2 -> ok then A2 ping B ->ok
very confused...
any idea ? thanks
Solved! Go to Solution.
10-14-2020 02:16 AM
One Tunnel but different SA,
do you config any per-host under the dynamic?
you see if you have multi host with one tunnel NO per-host only on SA will get
if you have multi host with one tunnel per-host multi SA will get,
and again we return to first point WHO initiated the traffic.
10-13-2020 03:48 AM
10-14-2020 12:59 AM
thanks for your reply, I did make the sla monitor to try to send the icmp packet to make the tunnel up,
but not work, the icmp packet never send out. both inside and outside tried. it's seems all the operations skipped:
ASA(config)# show sla monitor operational-state
Entry number: 10
Modification time: 19:16:31.296 UTC Tue Oct 13 2020
Number of Octets Used by this Entry: 1480
Number of operations attempted: 23
Number of operations skipped: 23
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 19:20:11.300 UTC Tue Oct 13 2020
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0 RTTMin: 0 RTTMax: 0
NumOfRTT: 0 RTTSum: 0 RTTSum2: 0
10-14-2020 07:36 PM
the sla monitor seems not work, I think it's not able to hit the VPN access-list, so it cannot send the packet to A2 via VPN.
now I using a work around way: set snmp trap on the ASA (office B), and point to some IP in A1 and A2, so the VPN down, the ASA will send snmp packet to A2, that make the connection up again...
10-13-2020 04:11 PM
IPSec need source and destination for isakmp, and these source and destination IP address is config via set peer
now, for dynamic crypto map there is no set peer so the side you config dynamic don’t have IP address of destination and tunnel never up, so dynamic crypto side never initiated tunnel isakmp.
Hope this clear for you.
10-13-2020 08:32 PM
I understand, but office A and B have only 1 IPsec tunnel, So in my understanding when A1 can ping B, means the ipsec vpn tunnel is up. why A2 not able to ping B until B send a packet to A2 ?
there using different tunnel or sa ???
and if I group the A1 and A2 up to an object group, and config the access-list by object group, is thats help ?
thanks
10-14-2020 02:16 AM
One Tunnel but different SA,
do you config any per-host under the dynamic?
you see if you have multi host with one tunnel NO per-host only on SA will get
if you have multi host with one tunnel per-host multi SA will get,
and again we return to first point WHO initiated the traffic.
10-14-2020 07:32 PM
thanks, the show ipsec sa told me that's different sa.
and I did try group multi subnet in a network object group , and put that network object group in VPN access-list, but still not fix my issue. still gets multi sa...
now I using a work around way: set snmp trap on the ASA (office B), and point to some IP in A1 and A2, so the VPN down, the ASA will send snmp packet to A2, that make the connection up again...
the sla monitor seems not work, I think it's not able to hit the VPN access-list, so it cannot send the packet to A2 via VPN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide