01-12-2018 10:10 AM - edited 09-21-2018 04:41 AM
Hello Techies,
I have site A, B, C and D. I am trying to create a site-to-site ipsec VPN to sites B,C and D with an ASA 5515 from site A but I have a few issues;
Background
1. Some of the sites have more than one subnet E.G. Site B has 192.168.2.x/24 subnet and 172.16.0.0/18 subnet.
2. Site A (the site with the ASA), has the following subnet 192.168.0.0/24 and 172.16.120.0/21
3. Site C has the subnet 172.16.130.0/24
NOW THE PROBLEM
1.Two sites do not stay up. When one site is brought up, the other goes down.
2. Two subnets from a site do not stay up, one stays up and the other is down.
Solved! Go to Solution.
01-13-2018 01:42 AM
Hi, You were previously attempting to use 2 x crypto map "outside-map" and "outside_map_abuja". Only one of these can be applied to an interface.
You are using different sequence numbers in your original example output, but the crypto map name is different.
You just need to create 1 crypto map for all VPNs and use the sequence numbers (as per my example) to distinguish between the VPN peers.
HTH
01-12-2018 10:26 AM
PLEASE HELP!!!
01-12-2018 11:45 AM - edited 01-12-2018 02:18 PM
You can only have 1 crypto map assigned to an interface, you would need to use sequence number to distinguish between the different peers. Eg.
crypto map outside_map 2 match address ILUPEJU_LAN_TRAFFIC
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer 62.173.x.x
crypto map outside_map 2 set ikev1 transform-set ILUPEJUSET
crypto map outside_map 3 match address Abuja-to-VI
crypto map outside_map 3 set peer 41.184.x.x
crypto map outside_map 3 set ikev1 transform-set ABUJA-SET
Then enable the crypto map on the outside interface.
01-12-2018 11:24 PM
Hello RJI,
Thanks for responding.
crypto map outside_map 2 match address ILUPEJU_LAN_TRAFFIC
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer 62.173.x.x
crypto map outside_map 2 set ikev1 transform-set ILUPEJUSET
crypto map outside_map 3 match address Abuja-to-VI
crypto map outside_map 3 set peer 41.184.x.x
crypto map outside_map 3 set ikev1 transform-set ABUJA-SET
1. If I understand you, you said one I cannot have these two at the same time as I also observed one deletes the other if they are pointing at the same outside interface.
- crypto map outside-map interface outside
- crypto map outside_map_abuja interface outside
Is the solution to create other outside interfaces for other Crypto maps. E.G.
interface GigabitEthernet0/0
crypto map outside_map
interface GigabitEthernet0/2
Crypto map outside_map_abuja
2. I already have sequence number separating the crypto maps as seen above, is there anything to correct there please?
(crypto map outside-map interface outside)
01-13-2018 01:42 AM
Hi, You were previously attempting to use 2 x crypto map "outside-map" and "outside_map_abuja". Only one of these can be applied to an interface.
You are using different sequence numbers in your original example output, but the crypto map name is different.
You just need to create 1 crypto map for all VPNs and use the sequence numbers (as per my example) to distinguish between the VPN peers.
HTH
01-15-2018 04:03 AM
Hi RJI,
I see what you mean now. I'd correct it and give feedback.
Thanks so much for your responses.
01-20-2018 07:09 AM
Hi RJI,
Attempting to use different names for the outside-map for the two VPNs was the issue. You are right.
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide