cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
949
Views
0
Helpful
1
Replies

VPN up but not routing over the tunnel (1811 to ASA5520)

ProvellRC
Level 1
Level 1

I was recently tasked with adding a redundant internet connection for one of our remote sites. this new connection was to be used as the primary connection for the VPN from the site with the existing one being configured as a failover controlled by an IP SLA tracker on the new interface.

The existing connection uses a PPPoE connection configured under Dialer1 associated with FE0 to connect to our ASA. Duplicating this wasn't an option given the hardware that the second ISP provided. They provided a /29 for use; I configured FE2 using a Vlan interface with a host on that subnet.

I duplicated the connection profiles and tunnel groups on our ASA, changing only the Peer IP. Both interfaces on the 1811 are using the same crypto map.

The new connection seems fine and I can reach other hosts on its subnet from both the router and hosts on the inside of the NAT.

The issue happens when I change the default route to use the new connection.

I'm able to reach internet hosts using the new connection and I can see the VPN being established on the ASA while the VPN from the old connection drops, but I can't get traffic to route over the tunnel.

If I remove the default route that uses the new connection the VPN comes back up on the old connection just fine. There's no problem routing over the VPN when it uses that connection, just the new one.

Relevant config from show run:

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp key <KEY> address <ASA IP ADDRESS>

crypto isakmp keepalive 10

!

crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac

!

crypto map aesmap 20 ipsec-isakmp

set peer <ASA IP ADDRESS>

set transform-set aesset

set pfs group2

match address acl_vpn_test

!

interface FastEthernet0

no ip address

no ip unreachables

no ip proxy-arp

ip virtual-reassembly

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

crypto map aesmap

!

interface FastEthernet2

switchport access vlan 100

!

interface Vlan100

ip address <IP FOR NEW CONNECTION> 255.255.255.248

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect Stateful_CBAC out

ip virtual-reassembly

crypto map aesmap

!

interface Dialer1

mtu 1492

ip address negotiated

ip nat outside

ip inspect Stateful_CBAC out

ip virtual-reassembly

encapsulation ppp

dialer pool 1

no cdp enable

<PPP ACOUNT INFO>

crypto map aesmap

!

ip route 0.0.0.0 0.0.0.0 Dialer1 100

ip route 0.0.0.0 0.0.0.0 <FIRST HOP IP FOR NEW CONNECTION> track 1

!

1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

Hi Alex

I think this is most likely an issue on the ASA. Could you post the (sanitized) config of the ASA please?

In addition, try to send some traffic accross and watch if you see the encrypt & decrypt counters increase in "show crypto ipsec sa" on both sides.

hth

Herbert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: