GB1000 and ASA VPN with multiple subnets

Unanswered Question
Jan 30th, 2007


I have to connect with VPN two sites with multiple subnets at one site.

NetworkA---direct link---NetworkB---GB1000-----VPN-----ASA---NetworkC

Cisco ASA 5505 is connected to GB1000 which has multiple subnets.

Everything works fine when we access B from C. If we access A from C, GB1000 drops the tunnel C-B and establish a tunnel A-C. Looks like we can have only one active tunnel at a time. (Licensing is not an issue here)

I spoke to GB1000 guys and they say that GB1000 will create one IKE and one IPSec SA even when multiple subnets are involved. On the contrary Cisco ASA creates IPSec SA for every subnet at the remote end. I think this is the root cause of the issue.

We are thinking of aggregating of all remote subnets into one so we would have only one ACL entry on ASA but this would require to redesign company's subnetting.

Is it possible to make GB1000 act in a Cisco fashion i.e. to create separate SA per subnet? Or make the ASA to create just one IPSec SA for remote networks?

Any idea will be highly appreciated.

Thank you.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ggilbert Tue, 01/30/2007 - 15:10


Depending on the ACL entry, the ASA will create specific IPSec SA's for the interesting traffic matching that entry.

If GB1000 does not support, then you can summarize the network on the ASA so that it can just create one IPSec.

Rate it, if this helps.




This Discussion