01-21-2009 07:57 AM - edited 02-21-2020 04:07 PM
Hello - I am trying to bring up a second site to site vpn tunnel to a site where I have an existing one, and I am having issues. Here is the lay out: Right now I have site A and site B, both sites have an ASA 5520. In site A I have a link out to the internet on gi0/3 and a link to the internet via a different ISP on gi0/2. In site B I have the same setup, gi0/3 to one ISP and gi0/2 to another. Currently I have a site to site VPN tunnel that is working from A -> B via the connections on ports gi0/3. Now, I try to add a second site to site tunnel via the wizard in ASDM for site A -> B on the ports gi0/2, and as soon as I apply it, I lose the first tunnel, and the new one does not come up. As soon as I remove the second one, the original tunnel is restored. A little confusing I know, but any help would be great.
01-21-2009 08:36 AM
Can you post your "head end" asa config for review.
01-21-2009 09:07 AM
01-21-2009 09:15 AM
It only has one site to site tunnel config on it. Did you remove the config?
01-21-2009 09:17 AM
Yes, because when I add the new one, the existing one drops.
01-21-2009 09:29 AM
Yes, because when I add the new one, the existing one drops.
01-22-2009 08:58 AM
post the config of the extra tunnel?
01-22-2009 12:29 PM
Here are the latest configs. Disregard the original one as I have changed some things that have allowed me to keep the working tunnel from dropping.
The tunnel that is working fine is the one from Site A:nameif DR-FIOS to Site B:nameif Outside.
The tunnel not coming up is from Site A:nameif DR-FIOS2 to Site B:nameif DR-Tunnel.
01-22-2009 01:09 PM
Change from this:-
crypto map peer1 20 match address 170
crypto map peer1 20 set peer 74.Y.Y.Y
crypto map peer1 20 set transform-set myset
crypto map peer1 20 set reverse-route
crypto map peer1 interface DR-FIOS2
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map peer2 10 match address 169
crypto map peer2 10 set peer 71.X.X.X
crypto map peer2 10 set transform-set pix2
crypto map peer2 10 set reverse-route
crypto map peer2 interface DR-FIOS
to this:-
crypto map outside_map0 20 match address 170
crypto map outside_map0 20 set peer 74.Y.Y.Y
crypto map outside_map0 20 set transform-set myset
crypto map outside_map0 20 set reverse-route
crypto map outside_map0 interface DR-FIOS2
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map0 10 match address 169
crypto map outside_map0 10 set peer 71.X.X.X
crypto map outside_map0 10 set transform-set pix2
crypto map outside_map0 10 set reverse-route
crypto map outside_map0 interface DR-FIOS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide