cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
405
Views
0
Helpful
0
Comments
TCC_2
Advocate
Advocate

Core issue

These could be among the reasons for this behavior:

  • An incorrect peer IP address defined in the crypto-map.

  • The same crypto access-list command might be bound with both the crypto-map entries on the Adaptive Security Appliance (ASA). As a result, the second crypto-map entry is never hit, since the traffic meant for the second peer is matching with the crypto access-list bound with the first crypto-map entry.

Resolution

To resolve this issue, verify that:

  • The peer IP is correct.

  • The access-list command bound with the separate crypto-map entries are different, so that the relevant access-list is hit, as shown:

access-list vpn1 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn2 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map IPsec_map 10 match address vpn1
crypto map IPsec_map 10 set peer 1.1.1.1
crypto map IPsec_map 10 set transform-set myset
crypto map IPsec_map 11 match address vpn2
crypto map IPsec_map 11 set peer 2.2.2.2
crypto map IPsec_map 11 set transform-set myset
crypto map IPsec_map interface outside

At this point, you should be able to pass traffic.

VPN Tunnel End Points

Any end point

VPN Protocols

IPSec

VPN Tunnel Initialization

IPSec session is not established

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links