Solved: PFS issue with multiple remote subnets

WStoffel1 · ‎07-16-2015

I had two L2L tunnels connected to my ASA. Both far ends are a single customer, two offices, both with Sonicwalls.

Tunnel to each site was fine, then there came the need to have the two sites be able to talk, RTP for new voip set up.

Updated the tunnels accordingly and had no issues, it all worked perfectly. Then i added PFS to the crypto, group 2 and the second SA dropped.

In other words the two remote networks could not talk, but the SA from my ASA to each Sonicwall remained up.

I cant post the configs but as long as i keep PFS out of the equation i have no issue, is there something very general i'm missing or should be adding?

Wondering if anyone just has a thought or two on it, thank you!

Karsten Iwen · ‎07-16-2015

Have you tried upgrading to an up-to-date release? I remember some PFS-related bugs that were fixed in the past.

View solution in original post

Karsten Iwen · ‎07-16-2015

Have you tried upgrading to an up-to-date release? I remember some PFS-related bugs that were fixed in the past.

WStoffel1 · ‎07-17-2015

Good enough for me, it is verrrrrrrrrrry old code. And pretty inexplicable why it was happening. thank you.

Richard Burts · ‎07-19-2015

When you added PFS on your ASA did the customer add PFS on their Sonicwalls? If the VPNs work fine without PFS and do not work when you add PFS it suggests that perhaps it is not applied on the other end.

HTH

Rick

HTH

Rick