cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
859
Views
0
Helpful
13
Replies

PIX to ASA5510 L2L

dvanhaaren
Level 1
Level 1

I'm having a little trouble with this first of many l2l connections. The 2nd part of phase one seems to be failing and I can't put my finger on it, maybe another set of eyes could help. It's map 870, tunnel-group 204.87.234.40. Thanks in advance for any input.

See attachments

I tried to pare down the info to just pertinate stuff, but there is still lot there.

Thanks again

David VanHaaren

1 Accepted Solution

Accepted Solutions

David,

glad it worked. Just so you know though, it really has 0 to do with the dynamic map. It has everything to do with the order of operations of the crypto map.

In any event, you are good to go so that's what's important..

-C

View solution in original post

13 Replies 13

acomiskey
Level 10
Level 10

You should not use the same acl for all your vpn's.

ASA

access-list crypto_map_870 extended permit ip 10.3.0.0 255.255.0.0

access-list crypto_map_870 extended permit ip 207.78.40.0 255.255.255.0 192.168.0.0 255.255.0.0

crypto map qdi 870 match address crypto_map_870

crypto map qdi 870 set peer 204.87.234.40

crypto map qdi 870 set transform-set remotes

I would start there.

Thanks for the idea.

The debug still comes up the same. It seems to only check the first couple of maps and when it doesn't find it's peer it stops. The other maps are not yet in use and most of them will be coming out. The license supports 200 vpn connections so I'm at a loss here.

David

Made a small error above.

access-list crypto_map_870 extended permit ip 192.168.0.0 255.255.0.0 10.3.0.0 255.255.0.0

Also, if you are not using access list l2ltunnel I would get rid of it as it contains duplications to the new acl you created.

I caught the error and adjusted the ACl. I'm wondering if I need to take all the map entries out and start with just one and build from there? I was hoping I was just missing something obvious. The debug does show the right networks being assigned to the tunnel.

Would anybody else have any suggestions. All comments,ideas, thoughts are welcome.

What does your config look like now? I still think it is an issue with the l2ltunnel acl including traffic which should be specific to the tunnel you are trying to bring up, but I of course could be wrong.

Here's the config I've been trying with the changed ACl. At the bottom you can see it starts to establish then dies.

David

In your "show cry isa sa", the "type" should not be saying "user". It should be saying "L2L". Not sure why it's doing that, hopefully someone else can chime in.

I would try moving this one down the list.

no crypto map qdi 70 ipsec-isakmp dynamic remote

crypto map qdi 65535 ipsec-isakmp dynamic remote

That's a good point.

Can I do that remotely if I'm VPN'ed in?

Will it drop my connection?

David

Here's part of your issue. You hae a crypto map with tons of stuff defined but most of it is incomplete. When the ASA goes through the map process, it goes in order. Once it hits 60, it stops because it's not complete. To test this, just create a new crypto map with your peer only in it and apply that to the interface, or make sure your map is complete.

You seem to be passing phase IKE already so I think that might be where the issue is.

HTH

Chris

Just for clarification, I mean that the crpyto map will stop as soon as it gets to a number on there where all the info isn't there. So in your case at least in the new config, it's pretty much everything because you removed the ACL you were attempting to match against before.

-C

It appears moving the map to the head of the class is a winner. I think both ideas come into play here. By moving the map ahead of the dynamic map and the incomplete maps it works. I'm thinking the dynamic map was the main culprit since the other maps were complete originally. So much for trying to get a little ahead. One map at a time is the law. Thanks guys, really apprecitate the extra sets of eyes.

David

David,

glad it worked. Just so you know though, it really has 0 to do with the dynamic map. It has everything to do with the order of operations of the crypto map.

In any event, you are good to go so that's what's important..

-C

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: