PIX to ASA5510 L2L

Answered Question
Aug 12th, 2008

I'm having a little trouble with this first of many l2l connections. The 2nd part of phase one seems to be failing and I can't put my finger on it, maybe another set of eyes could help. It's map 870, tunnel-group 204.87.234.40. Thanks in advance for any input.

See attachments

I tried to pare down the info to just pertinate stuff, but there is still lot there.

Thanks again

David VanHaaren

I have this problem too.
0 votes
Correct Answer by cdusio about 8 years 3 months ago

David,

glad it worked. Just so you know though, it really has 0 to do with the dynamic map. It has everything to do with the order of operations of the crypto map.

In any event, you are good to go so that's what's important..

-C

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Tue, 08/12/2008 - 07:57

You should not use the same acl for all your vpn's.

ASA

access-list crypto_map_870 extended permit ip 10.3.0.0 255.255.0.0

access-list crypto_map_870 extended permit ip 207.78.40.0 255.255.255.0 192.168.0.0 255.255.0.0

crypto map qdi 870 match address crypto_map_870

crypto map qdi 870 set peer 204.87.234.40

crypto map qdi 870 set transform-set remotes

I would start there.

dvanhaaren Tue, 08/12/2008 - 08:45

Thanks for the idea.

The debug still comes up the same. It seems to only check the first couple of maps and when it doesn't find it's peer it stops. The other maps are not yet in use and most of them will be coming out. The license supports 200 vpn connections so I'm at a loss here.

David

Attachment: 
acomiskey Tue, 08/12/2008 - 09:16

Made a small error above.

access-list crypto_map_870 extended permit ip 192.168.0.0 255.255.0.0 10.3.0.0 255.255.0.0

Also, if you are not using access list l2ltunnel I would get rid of it as it contains duplications to the new acl you created.

dvanhaaren Tue, 08/12/2008 - 09:26

I caught the error and adjusted the ACl. I'm wondering if I need to take all the map entries out and start with just one and build from there? I was hoping I was just missing something obvious. The debug does show the right networks being assigned to the tunnel.

dvanhaaren Wed, 08/13/2008 - 10:18

Would anybody else have any suggestions. All comments,ideas, thoughts are welcome.

acomiskey Wed, 08/13/2008 - 10:22

What does your config look like now? I still think it is an issue with the l2ltunnel acl including traffic which should be specific to the tunnel you are trying to bring up, but I of course could be wrong.

acomiskey Wed, 08/13/2008 - 11:01

In your "show cry isa sa", the "type" should not be saying "user". It should be saying "L2L". Not sure why it's doing that, hopefully someone else can chime in.

I would try moving this one down the list.

no crypto map qdi 70 ipsec-isakmp dynamic remote

crypto map qdi 65535 ipsec-isakmp dynamic remote

dvanhaaren Thu, 08/14/2008 - 02:59

That's a good point.

Can I do that remotely if I'm VPN'ed in?

Will it drop my connection?

David

cdusio Thu, 08/14/2008 - 06:46

Here's part of your issue. You hae a crypto map with tons of stuff defined but most of it is incomplete. When the ASA goes through the map process, it goes in order. Once it hits 60, it stops because it's not complete. To test this, just create a new crypto map with your peer only in it and apply that to the interface, or make sure your map is complete.

You seem to be passing phase IKE already so I think that might be where the issue is.

HTH

Chris

cdusio Thu, 08/14/2008 - 06:49

Just for clarification, I mean that the crpyto map will stop as soon as it gets to a number on there where all the info isn't there. So in your case at least in the new config, it's pretty much everything because you removed the ACL you were attempting to match against before.

-C

dvanhaaren Thu, 08/14/2008 - 08:19

It appears moving the map to the head of the class is a winner. I think both ideas come into play here. By moving the map ahead of the dynamic map and the incomplete maps it works. I'm thinking the dynamic map was the main culprit since the other maps were complete originally. So much for trying to get a little ahead. One map at a time is the law. Thanks guys, really apprecitate the extra sets of eyes.

David

Correct Answer
cdusio Thu, 08/14/2008 - 16:45

David,

glad it worked. Just so you know though, it really has 0 to do with the dynamic map. It has everything to do with the order of operations of the crypto map.

In any event, you are good to go so that's what's important..

-C

Actions

This Discussion