Solved: Re: UNABLE TO CREATE MULTIPLE SITE-TO-SITE ON ASA 5515

Jesutofunmi O · ‎01-12-2018

Hello Techies,

I have site A, B, C and D. I am trying to create a site-to-site ipsec VPN to sites B,C and D with an ASA 5515 from site A but I have a few issues;

Background

1. Some of the sites have more than one subnet E.G. Site B has 192.168.2.x/24 subnet and 172.16.0.0/18 subnet.

2. Site A (the site with the ASA), has the following subnet 192.168.0.0/24 and 172.16.120.0/21

3. Site C has the subnet 172.16.130.0/24

NOW THE PROBLEM

1.Two sites do not stay up. When one site is brought up, the other goes down.

2. Two subnets from a site do not stay up, one stays up and the other is down.

Rob Ingram · ‎01-13-2018

Hi, You were previously attempting to use 2 x crypto map "outside-map" and "outside_map_abuja". Only one of these can be applied to an interface.

You are using different sequence numbers in your original example output, but the crypto map name is different.

You just need to create 1 crypto map for all VPNs and use the sequence numbers (as per my example) to distinguish between the VPN peers.

HTH

View solution in original post

Jesutofunmi O · ‎01-12-2018

PLEASE HELP!!!

Rob Ingram · ‎01-12-2018

You can only have 1 crypto map assigned to an interface, you would need to use sequence number to distinguish between the different peers. Eg.

crypto map outside_map 2 match address ILUPEJU_LAN_TRAFFIC
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer 62.173.x.x
crypto map outside_map 2 set ikev1 transform-set ILUPEJUSET
crypto map outside_map 3 match address Abuja-to-VI
crypto map outside_map 3 set peer 41.184.x.x
crypto map outside_map 3 set ikev1 transform-set ABUJA-SET

Then enable the crypto map on the outside interface.

Jesutofunmi O · ‎01-12-2018

Hello RJI,

Thanks for responding.

crypto map outside_map 2 match address ILUPEJU_LAN_TRAFFIC
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer 62.173.x.x
crypto map outside_map 2 set ikev1 transform-set ILUPEJUSET
crypto map outside_map 3 match address Abuja-to-VI
crypto map outside_map 3 set peer 41.184.x.x
crypto map outside_map 3 set ikev1 transform-set ABUJA-SET

1. If I understand you, you said one I cannot have these two at the same time as I also observed one deletes the other if they are pointing at the same outside interface.

- crypto map outside-map interface outside

- crypto map outside_map_abuja interface outside

Is the solution to create other outside interfaces for other Crypto maps. E.G.

interface GigabitEthernet0/0
crypto map outside_map

interface GigabitEthernet0/2

Crypto map outside_map_abuja

2. I already have sequence number separating the crypto maps as seen above, is there anything to correct there please?

(crypto map outside-map interface outside)

Rob Ingram · ‎01-13-2018

Hi, You were previously attempting to use 2 x crypto map "outside-map" and "outside_map_abuja". Only one of these can be applied to an interface.

You are using different sequence numbers in your original example output, but the crypto map name is different.

You just need to create 1 crypto map for all VPNs and use the sequence numbers (as per my example) to distinguish between the VPN peers.

HTH

Jesutofunmi O · ‎01-15-2018

Hi RJI,

I see what you mean now. I'd correct it and give feedback.

Thanks so much for your responses.

Jesutofunmi O · ‎01-20-2018

Hi RJI,

Attempting to use different names for the outside-map for the two VPNs was the issue. You are right.

Thank you.