Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1800
Views
5
Helpful
9
Replies

VPN Issue

stephen.stack
Level 4
Level 4

‎01-27-2009 06:13 AM

Hi Guys,

Hope someone can help here.

We have a cite-to-site tunnel established as per the config below. And someone on these forums recommended the config as a primary/backup VPN.

crypto map outside_vpn 11 match address VPN-TO-CUST

crypto map outside_vpn 11 set peer CUST_ENDPOINT_A

crypto map outside_vpn 11 set transform-set strong

crypto map outside_vpn 12 match address VPN-TO-CUST

crypto map outside_vpn 12 set peer CUST_ENDPOINT_B

crypto map outside_vpn 12 set transform-set strong

Now, the primary VPN works fine. A remote host can ping the external interface of our firewall over the VPN when VPN-A is up.

When VPN A fails, VPN-B is built. But this Tunnel will only accept traffic and will not transmit.

I get the following error.

Denied ICMP type=8, code=0 from 10.39.10.194 on interface Outside

IKE Initiator unable to find policy: Intf Outside, Src: x.x.x.x, Dst: 10.39.10.194

Where x.x.x.x is the external IP.

Please help me fix this problem?

Regards

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
Labels:
0 Helpful
9 Replies 9

Ivan Martinon
Level 7
Level 7

‎01-27-2009 08:48 AM

Stephen, when the secondary tunnel kicks in, who starts this tunnel? AFAIK the router having 2 Peers should be the one that should start the tunnel, as well I would advise you to use the same crypto config with only adding a second peer:

crypto map outside_vpn 11 match address VPN-TO-CUST

crypto map outside_vpn 11 set peer CUST_ENDPOINT_A

crypto map outside_vpn 11 set peer CUST_ENDPOINT_B

crypto map outside_vpn 11 set transform-set strong

using this type of configuration you tell the router to use the second peer when the primary is not responding, with the configuration you have above, the router wil always try to use peer A

0 Helpful

stephen.stack
Level 4
Level 4
In response to Ivan Martinon

‎01-27-2009 08:57 AM

Hi

thanks for the response.

I just treid this conf and i get the message below.

ERROR: Multiple Peers can be specified only with originate-only connections

I have also tried the whole origintae only commands and this is not working to good for me either. Appears to failover to other tunnel but kinda goes up and down a lot.

Any other idea? Desperate now :(

Thanks

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful

Ivan Martinon
Level 7
Level 7
In response to stephen.stack

‎01-27-2009 09:23 AM

You got me there, something I was not recalling, I believe that unfortunately routers do not have the option of setting the direction of the crypto map, you might want to review your design and go for GRE/IPSec solution.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/2_p2pGRE_Phase2.html

0 Helpful

stephen.stack
Level 4
Level 4
In response to Ivan Martinon

‎01-27-2009 09:36 AM

Ok, but the ASA does not do GRE tunnels... does it?

Thanks

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful

Ivan Martinon
Level 7
Level 7
In response to stephen.stack

‎01-27-2009 09:37 AM

Nope, but you never mentioned ASAs on the picture ;) where is it located?

0 Helpful

stephen.stack
Level 4
Level 4
In response to Ivan Martinon

‎01-27-2009 11:47 AM

OMG, what a plonker... so sorry. I should have said form the outset. Located?

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful

Ivan Martinon
Level 7
Level 7
In response to stephen.stack

‎01-27-2009 12:24 PM

By located I mean is it one of the remote peers? is it the central peer?

0 Helpful

stephen.stack
Level 4
Level 4
In response to Ivan Martinon

‎01-31-2009 09:16 AM

HI,

sorry for the delay in getting back to you on this. It appears that the config you first gave me does not work on asa7.2(2). But does on 7.2(3)

crypto map outside_vpn 11 match address VPN-TO-CUST

crypto map outside_vpn 11 set peer CUST_ENDPOINT_A

crypto map outside_vpn 11 set peer CUST_ENDPOINT_B

crypto map outside_vpn 11 set transform-set strong

It is working great now.

Thanks

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

blackmichael
Level 1
Level 1

‎06-30-2010 09:23 PM

I just had the same issue run 7.2(2).  I upgraded to 8.0(4) and had no problem entering in the second peer.

So the answer is 7.2(2) cant do it .... Upgrade!!!

0 Helpful
Customers Also Viewed These Support Documents