ASA 5505 cannot create a second VPN tunnel

Unanswered Question
Jan 27th, 2008

Hi Guys,

This issue is driving me nuts and would greatly appreciate all your help.

Scenario....

Site A - Asa 5505

Site B - Asa 5505

Site C- Sonicwall firewall.

I can create a vpn tunnel(main mode) from site A to Site C.

I can create a vpn tunnel (main mode)from site B to site C.

If I try to create a second tunnel from site A to Site B nothing happens i.e dubug of crpto isakmp has no output.

Similiarly

If I blow the configs and start again

I can create a tunnel from Site A to site B and Site B to Site C.

When I try to create a second tunnel from Site B to C once again no joy.

By completing above I have proven that individual VPN tunnel between all devices can be created thus eliminating vendor compatibility. The issue is with creating a second tunnel on any of the asa5505 appliances.

The Sonicwall appliance can easily support multiple VPN tunnels.

A Show ver on each asa 5505 would suggest up to 10 vpn tunnels can be established on each device.

Here are sample configs for each asa appliance.

##############################

Show Ver as follows :-

User Access Verification

Password:

Type help or '?' for a list of available commands.

Digiweb> ena

Password: **********

Digiweb# show ver

Cisco Adaptive Security Appliance Software Version 7.2(3)

Device Manager Version 5.2(3)

Compiled on Wed 15-Aug-07 16:08 by builders

System image file is "disk0:/asa723-k8.bin"

Config file at boot was "startup-config"

Digiweb up 2 days 18 hours

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

Boot microcode : ?CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: ?CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : ?CNlite-MC-IPSECm-MAIN-2.04

0: Int: Internal-Data0/0 : address is 001e.1357.5e52, irq 11

1: Ext: Ethernet0/0 : address is 001e.1357.5e4a, irq 255

2: Ext: Ethernet0/1 : address is 001e.1357.5e4b, irq 255

3: Ext: Ethernet0/2 : address is 001e.1357.5e4c, irq 255

4: Ext: Ethernet0/3 : address is 001e.1357.5e4d, irq 255

5: Ext: Ethernet0/4 : address is 001e.1357.5e4e, irq 255

6: Ext: Ethernet0/5 : address is 001e.1357.5e4f, irq 255

7: Ext: Ethernet0/6 : address is 001e.1357.5e50, irq 255

8: Ext: Ethernet0/7 : address is 001e.1357.5e51, irq 255

9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255

10: Int: Not used : irq 255

11: Int: Not used : irq 255

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : 10

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 10

WebVPN Peers : 2

Dual ISPs : Disabled

VLAN Trunk Ports : 0

This platform has a Base license.

Serial Number: xxx

Running Activation Key: xxx

Configuration register is 0x1

Configuration last modified by enable_15 at 14:16:05.787 UTC Sat Jan 26 2008

Digiweb#

############################

Please refer to attached config

############################

Once again thanks for your help....

Regards

Peter

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acharyr123 Wed, 01/30/2008 - 01:06

Hi!

This could be a problem with crypto map binding.

When ever u r trying to create 2 tunnels from say A to B & A to C it is working. But at the time of creating tunnel b/w A to B it is failing due to this crypto map binding issue.

try to get the debug logs before creating tunnel b/w A to B, A to C & B to C

petercumiskey Wed, 01/30/2008 - 05:39

Hi

Thansk for your reply. I have checked the binding as indicated. The attached config should confirm "crypto map outside_map interface outside" for two seperate peers.

A to C for single tunnel is fine. B to C for single tunnel is fine. I can define second tunnel-group and crypto map for a second tunnel from either A or B.

Debug crypto isakmp with level 255 shows zero output when I try to ping to interesting traffic at other end . terminal monitor is running so that I can see output.

When establishing 1st tunnel I will see output from debug.

Nothing for second tunnel which would suggest asa 5505 is not even trying to create second tunnel.

If you have any further suggestions on debug commands I would really appreciate it.

Regards

Peter

Actions

This Discussion