Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1462
Views
0
Helpful
6
Replies

RAVPN anyconnect Over IPSEC Tunnel

bayuadibwiraprana1
Level 1
Level 1

‎06-03-2025 05:43 AM

Hello Guys,

I need Help with my case,my device is FPR 1140 and i want connect it to AWS,I have done this step

1. https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/222264-configure-anyconnect-to-access-server-ov.html#toc-hId--1314947090 

2.  NAT exempt for the AnyConnect traffic to the remote subnet.

3.  Add your AnyConnect subnet to the Site 2 Site VPN crypto ACL at both ends of the Site 2 Site VPN.

4.  Add split tunneling remotesubnet to the split tunnel ACL.

and now got the problem, my Traffic RAVPN & LAN overlapping, i already config NAT Exempt for both RAVPN and LAN to the remote subnet,when i enable both NAT Exempt,Either the Traffic RAVPN to aws is UP or the LAN UP , i need to do "Clear Crypto ikev1 sa" after try to Change/troubleshooting the configuration to check the traffic is up or not.need help,Thank You

Labels:
0 Helpful
6 Replies 6

Aref Alsouqi
VIP
VIP

‎06-03-2025 07:45 AM

What do you mean by overlapping? is AnyConnect pool part of your LAN subnet?

0 Helpful

bayuadibwiraprana1
Level 1
Level 1
In response to Aref Alsouqi

‎06-03-2025 08:58 AM

I mean when i enable both nat exempt Ravpn subnet and Lan subnet, one of these traffic will go down and other wil go up to remote site subnet, anyconnect pool is not part of my LAN subnet

0 Helpful

Aref Alsouqi
VIP
VIP
In response to bayuadibwiraprana1

‎06-03-2025 10:08 AM

Would you mind sharing your sanitized configs for review?

0 Helpful

MHM Cisco World
VIP
VIP

‎06-19-2025 12:48 PM

Can I see 

Show run nat 

MHM

0 Helpful

Jonatan Jonasson
Level 4
Level 4

‎06-19-2025 05:38 PM

Unless anything has changed (and according to AWS FAQ it hasn't), you are limited to a single Security Association (SA) for a policy-based tunnel to AWS.

see the following two resources:
https://aws.amazon.com/vpn/faqs/#topic-3
https://docs.aws.amazon.com/vpn/latest/s2svpn/CGRequirements.html#:~:text=You%20are%20limited%20to%20one%20unique%20security,unique%20SA%20pairs%20in%20total%20for%20two

So the crypto ACL between your site2site VPN connection to AWS should always contain only one entry.

your options are:
#1 change the tunnel into a route-based site2site. The firepower supports this and there are a number of documentation examples on how to create a tunnel to AWS. This is the preferred method when creating a tunnel to AWS.

#2 consolidate the crypto ACL so a single line can contain both the RAVPN and LAN subnets (if they are not in completely different ranges.)

---
Please mark helpful answers & solutions
---
0 Helpful

wajidhassan
Level 4
Level 4

‎06-27-2025 10:40 AM

The issue arises because AWS policy-based VPN only supports a single Security Association (SA), so having multiple NAT exempt rules with separate crypto ACL entries causes traffic conflicts. You can fix this by either converting to a route-based VPN (preferred) or combining the RAVPN and LAN subnets into one crypto ACL entry if possible.

0 Helpful
Customers Also Viewed These Support Documents