cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1201
Views
0
Helpful
12
Replies

L2L VPN using Dynamic IP -- issue

jibsoni
Level 1
Level 1

Dear All,

I am having multiple sites with with dynamic IP address.

At HO I am having a cisco router with dynamic IP address, in which internet port forwarding configured and VPN terminated on ASA.

I am having 40 Branches will all dynamic ip. all L2L tunnels are up and running.

my issue is that, from branch to HO communication is perfect but from HO I am not able to access ant of the branch resourcess.

could somebody help  me to resolve this issue..... Config is attached.

1 Accepted Solution

Accepted Solutions

AHA!

I understand the setup a little bit better.

It seems that your routers are doing destination NAT , so all tunnels appear to be coming from "172.16.40.0/23" subnet.

And indeed your assumption is correct problem appears to be related to lack of correct routes pointing to the outside. (at least it seems so for now).

However reverse route injection should take care of it.

Speaking of which I noticed your tunnels land on

crypto dynamic-map alfa  and not the system default.

Please add "crypto dynamic-map alfa 1 set reverse" and restart one of the tunnels (do not reload the spoke, just clear isakmp or ipsec session for it).

We'll see from there.

Marcin

View solution in original post

12 Replies 12

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Please check logs on ASA during running the test for IP address you're testing with.

Make sure you're logging at least on informational level.

I'm curious, why aren't you using ezvpn in NEM mode instead of l2l?

Marcin

Hi Marcin,

Thanks for your support. This was done by some other company and now i am taking care of the network.

I am having doubt on cisco ASA (HO), there is no access-list configured on asa but in branch ACL is configured

Please clarify my doubt

when I am trying to access branch from HO, how asa will forward the traffic to that pirticular branch . But when i access HO from branch it will take VPN ACL and will go out (I am able to access all HO resources from BR).

One more information --- I have two Internet routers in HO, 20 baranches are connected to one and 20 to other. in ASA there is no default gateway        configured

Please suggest me a solution.


Let me address those one by one.

1. Regarding crypto ACL - since we don't know which peer is going to tunnel which subnets (proxy IDs) we rely on the client to request correct proxy IDs. This the other side will request something and we will accept it as proxy IDs for that peer. That's OK with dynamic IP for L2L peers.

2. See answers above, correct proxy IDs are installed on the ASA (or should be).

3. That's indeed interesting.

Can you add "crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse" to your configuration.

If there are two possible routers to go out via ... are they in HSRP or something? Is ASA visible via different IP addresses on the outside depending which dynamic peer connects?

Can you please attach a topology diagram?

Marcin

Thanks for your valuable time

As you adviced i have added "crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse" but the result was same (cant access branch from HO) and i am not using any HSRP configurations on internet routers

I am not aware about proxy settings (correct proxy IDs are installed on the ASA). is it required  ?

As per the diagram all locations are using ADSL and port forwarding is configured on both internet for VPN ports . Kindly go throught the attached diagram  and suggest me .

The ASA installs proxy IDs based on what dynamic peers asks.

Did you try to teardown the tunnel after you added reverse route injection?

Can you please attach "show vpn-session" and "sho route" .

I would also check logs if it's the ASA dropping those packets.

--------

conf t

logg buffered info

logg buffer-size 1000000

--------

initiate the test and check for me:

-------

sh logg | i SOURCE_IP

sh logg | i DESTINATION_IP

-------

Marcin

Thank you Marcin

I have rebooted one of the branch router after adding revers route injection.

Kindly check the attached logg file which you requested.

AHA!

I understand the setup a little bit better.

It seems that your routers are doing destination NAT , so all tunnels appear to be coming from "172.16.40.0/23" subnet.

And indeed your assumption is correct problem appears to be related to lack of correct routes pointing to the outside. (at least it seems so for now).

However reverse route injection should take care of it.

Speaking of which I noticed your tunnels land on

crypto dynamic-map alfa  and not the system default.

Please add "crypto dynamic-map alfa 1 set reverse" and restart one of the tunnels (do not reload the spoke, just clear isakmp or ipsec session for it).

We'll see from there.

Marcin

Hi Marcin,

That worked.............. I just added crypto dynamic-map alfa 1 set reverse and restarted the tunnel

Thanks a loooooooot for ur support and the time you spend for this issue.

Glad to be of help ;-)

Until next time.

Marcin

one quick question

In HO I am having 2 subents 192.168.0.x and 192.168.5.x. from 192.168.0.x branch is accessable but from 5.x branch is not accessable .

any solution for this .

do i need to configure vpn acl or not ?

Normally you should not ...

Is this happening all across the spokes or only on some?

Can you show me "show crypto ipsec sa | i caps|ident|spi|peer" output.

I am always trying with one branch . I beleive the same is happening to all branches

Please check the output of the command attached

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: