Remote Office Not tunneling all traffic

Answered Question
Jul 30th, 2008

Attached is the 871 remote router config. Comes into the ASA under DefaultL2Lgroup. Another remote office comes in under the same tunnelgroup. Traffic to 192.168.0.0/24 works but I also need the tunnel to pass all traffic to 10.8.0.0/24. Let me know what you think. Thanks

Attachment: 
I have this problem too.
0 votes
Correct Answer by Daniel Voicu about 8 years 4 months ago

Right, the problem might be on the router.

Try to disable the CEF "no ip cef" and check again.

Please rate if this helped.

Regards,

Daniel

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
ggilbert Wed, 07/30/2008 - 06:48

Hello Donnie.

I did look into the router config. From looking at the config, your internal network on the ASA side is 192.168.0.0/24 and internal network on the 871 remote side is 10.8.32.0/24.

Where is the network 10.8.0.0/24? Is it behind the ASA or is it behind the second remote office that you mentioned which terminates on the same tunnel-group of the ASA.

According to your config, it seems that 10.8.0.0 is /16 not /24

Can you please try to pass traffic from 10.8.32.x/24 netowrk to 10.8.0.0/16 network and get the output of "sh cry ipsec sa" on the 871 router and on the ASA.

Thanks

Gilbert

donniehoover Wed, 07/30/2008 - 07:12

10.8.0.0/16 is going to be all our internal network. I have a vlan 10.8.0.0/16 which is what my computer is on. Attached is the show crypto ipsec sa.

ggilbert Wed, 07/30/2008 - 07:31

Donnie,

10.8.0.0/16 covers all your 10.8.x.x networks, so you will run into problems since your local network will be in the same range.

To get this to work, change the encryption ACL to /24 rather than /16 for the 10.8.x.x network.

Thanks

Gilbert

Daniel Voicu Wed, 07/30/2008 - 06:49

Hi,

To be honest the config looks ok.

Only one thing, you should put the crypto map to be /24, not /16. You need to modifiy the lines:

access-list 120 permit ip 10.8.32.0 0.0.0.255 10.8.0.0 0.0.255.255

access-list 130 deny ip 10.8.32.0 0.0.0.255 10.8.0.0 0.0.255.255

Please rate if this helped.

Regards,

Daniel

donniehoover Wed, 07/30/2008 - 07:57

FYI I already have the access-lists stating the above. I just worded things wrong at the begin of the conversation. Should I open a TAC on this issue? If I ping from the router to my desktop ever other is successful and from my desktop about one of every 5 or so is successful. The ASA does not show any errors.

Correct Answer
Daniel Voicu Wed, 07/30/2008 - 23:40

Right, the problem might be on the router.

Try to disable the CEF "no ip cef" and check again.

Please rate if this helped.

Regards,

Daniel

Actions

This Discussion