cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
318
Views
0
Helpful
1
Replies
Highlighted
Enthusiast

Second tunnel do not pass traffic

Hello experts,

I have an ASA5510 (HQ) with two ASA5505 (BRs) connected via site2site vpn.

 

The 5510 use an outside interface for all tunnels. Each 5505 use one as well. Everything works fine.

 

Now I have one additional internet (for outside2) in one of 5505 (BR1). In this 5505 I just added to the crypto map (new sequence) the previous match address <VPN-BR1-TO-HQ>, set peer, transformation and a new crypto interface (outside2).

!

access-list VPN-BR1-TO-HQ extended permit ip object-group BR1-NETS object-group HQ-NETWORKS

!

crypto map VPN 1 match address VPN-BR1-TO-HQ

crypto map VPN 1 set peer 190.28.45.33 (same peer)

crypto map VPN 1 set ikev1 transform-set ESP-AES256-SHA

crypto map VPN interface outside

!

crypto map VPN 2 match address VPN-BR1-TO-HQ

crypto map VPN 2 set peer 190.28.45.33 (same peer)

crypto map VPN 2 set ikev1 transform-set ESP-AES256-SHA

crypto map VPN interface outside2

!

tunnel-group 190.28.45.33 type ipsec-l2l

tunnel-group 190.28.45.33 ipsec-attributes

 ikev1 pre-shared-key ****

!

In the 5510 added a new crypto map sequence with the same <VPN-HQ-TO-BR1>, the new set peer, transformation and using the same interface outside.

!

access-list VPN-HQ-TO-BR1 extended permit ip object-group HQ-NETS object-group BR1-NETS

access-list VPN-HQ-TO-BR1 extended permit ip object-group BR2-NETS (other spoke) object-group BR1-NETS

!

!

crypto map VPN 1 match address VPN-HQ-TO-BR1

crypto map VPN 1 set peer 203.7.113.2

crypto map VPN 1 set ikev1 transform-set ESP-AES256-SHA

crypto map VPN 2 match address VPN-HQ-TO-BR1

crypto map VPN 2 set peer 198.55.100.2

crypto map VPN 2 set ikev1 transform-set ESP-AES256-SHA

crypto map VPN interface outside    (same interface for both)

..

..

crypto map VPN <n>...

!

!

tunnel-group 203.7.113.2 type ipsec-l2l

tunnel-group 203.7.113.2 ipsec-attributes

 ikev1 pre-shared-key ****

!

tunnel-group 198.55.100.2 type ipsec-l2l

tunnel-group 198.55.100.2 ipsec-attributes

 ikev1 pre-shared-key ****

!

Something weird is happening. Both tunnels are formed, both pass phase 1 and phase 2 but tunnel 2 does not route the traffic.

If I disconnect tunnel 1, tunnel 2 continues up but does not route traffic. there is decaps but not encaps, same thing for encryption.

I discovered that if I delete the cryptomap 1 in the 5510, the tunnel 2 start to pass traffic (routing).

also works if I move the cryptomap 1 to 3 (in the 5510), tunnel 2 works fine, but now the cryptomap 3 does not.

In this scenario, only the first cryptomap defined works, the second doesn’t. Changing the order of definition, moving the “bad” crypto to the top (or above the good one) force this tunnel to work fine in detriment of the good one.

How can i fix this?

Its possible do that with a crypto dynamic-map ?.  If so, how can be using only ikev1 ?.   

Thanks,

RJB

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Enthusiast

Re: Second tunnel do not pass traffic

Hello, I solved my issue changing the Proffered peer behavior. Deleting the second crypto map and just adding the second ip to the peer list.

!

crypto map VPN 1 match address VPN-HQ-TO-BR1

crypto map VPN 1 set peer 203.7.113.2 198.55.100.2

crypto map VPN 1 set ikev1 transform-set ESP-AES256-SHA

crypto map VPN interface outside (same interface for both)

..

..

View solution in original post

1 REPLY 1
Highlighted
Enthusiast

Re: Second tunnel do not pass traffic

Hello, I solved my issue changing the Proffered peer behavior. Deleting the second crypto map and just adding the second ip to the peer list.

!

crypto map VPN 1 match address VPN-HQ-TO-BR1

crypto map VPN 1 set peer 203.7.113.2 198.55.100.2

crypto map VPN 1 set ikev1 transform-set ESP-AES256-SHA

crypto map VPN interface outside (same interface for both)

..

..

View solution in original post