Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3351
Views
0
Helpful
4
Replies

Question related to IKE policy priority.

Go to solution
bhushan.bisht
Level 1
Level 1

‎08-03-2011 02:46 AM

Guys we have Headoffice ASA connected to Branch ASA via site to site VPN tunnel. The headoffice ASA has priority 11,20 and 40 configured, while the branch has only IKE priority 50 defined and no default priority is visible under show run. Based on this information should the VPN tunnel between headoffice and branch establish?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
raga.fusionet
Level 4
Level 4

‎08-03-2011 07:23 AM

Bhushan,

When you speak IKE Policy priorities, you are refferring to crypto isakmp policies right?

If that is the case, the number that you use to identify those is locally significant. It doest matter if you have crypto isakmp policy 1 on one side and crypto isakmp policy 5 on the other side, as long one policy on each site and that the parameters match (encryption, authentication, hash, dh group, preshared key) your Phase 1 should come up.

I hope this helps.

Raga

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎08-03-2011 07:27 AM

Just to add to to Raga's post. ISAKMP policies are run through in the order they are numbered. So if your remote site onlu has one ISAKMP policy when it connects your HQ ASA will simply test each ISAKMP Policy it has configured against the branch ISAKMP settings until it either finds one or gets to the end and hasn't matched any.

As Raga says, the actual numbers are only locally significant.

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
raga.fusionet
Level 4
Level 4

‎08-03-2011 07:23 AM

Bhushan,

When you speak IKE Policy priorities, you are refferring to crypto isakmp policies right?

If that is the case, the number that you use to identify those is locally significant. It doest matter if you have crypto isakmp policy 1 on one side and crypto isakmp policy 5 on the other side, as long one policy on each site and that the parameters match (encryption, authentication, hash, dh group, preshared key) your Phase 1 should come up.

I hope this helps.

Raga

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎08-03-2011 07:27 AM

Just to add to to Raga's post. ISAKMP policies are run through in the order they are numbered. So if your remote site onlu has one ISAKMP policy when it connects your HQ ASA will simply test each ISAKMP Policy it has configured against the branch ISAKMP settings until it either finds one or gets to the end and hasn't matched any.

As Raga says, the actual numbers are only locally significant.

Jon

0 Helpful

Go to solution
bhushan.bisht
Level 1
Level 1

‎08-04-2011 02:06 AM

Thanks to both Luis and Jon for clarifying my doubts.

Regards

0 Helpful

Go to solution
raga.fusionet
Level 4
Level 4
In response to bhushan.bisht

‎08-04-2011 07:04 AM

Sure anytime

0 Helpful
Customers Also Viewed These Support Documents