08-12-2008 07:27 AM - edited 03-11-2019 06:29 AM
I'm having a little trouble with this first of many l2l connections. The 2nd part of phase one seems to be failing and I can't put my finger on it, maybe another set of eyes could help. It's map 870, tunnel-group 204.87.234.40. Thanks in advance for any input.
See attachments
I tried to pare down the info to just pertinate stuff, but there is still lot there.
Thanks again
David VanHaaren
Solved! Go to Solution.
08-14-2008 04:45 PM
David,
glad it worked. Just so you know though, it really has 0 to do with the dynamic map. It has everything to do with the order of operations of the crypto map.
In any event, you are good to go so that's what's important..
-C
08-12-2008 07:57 AM
You should not use the same acl for all your vpn's.
ASA
access-list crypto_map_870 extended permit ip 10.3.0.0 255.255.0.0
access-list crypto_map_870 extended permit ip 207.78.40.0 255.255.255.0 192.168.0.0 255.255.0.0
crypto map qdi 870 match address crypto_map_870
crypto map qdi 870 set peer 204.87.234.40
crypto map qdi 870 set transform-set remotes
I would start there.
08-12-2008 08:45 AM
Thanks for the idea.
The debug still comes up the same. It seems to only check the first couple of maps and when it doesn't find it's peer it stops. The other maps are not yet in use and most of them will be coming out. The license supports 200 vpn connections so I'm at a loss here.
David
08-12-2008 09:16 AM
Made a small error above.
access-list crypto_map_870 extended permit ip 192.168.0.0 255.255.0.0 10.3.0.0 255.255.0.0
Also, if you are not using access list l2ltunnel I would get rid of it as it contains duplications to the new acl you created.
08-12-2008 09:26 AM
I caught the error and adjusted the ACl. I'm wondering if I need to take all the map entries out and start with just one and build from there? I was hoping I was just missing something obvious. The debug does show the right networks being assigned to the tunnel.
08-13-2008 10:18 AM
Would anybody else have any suggestions. All comments,ideas, thoughts are welcome.
08-13-2008 10:22 AM
What does your config look like now? I still think it is an issue with the l2ltunnel acl including traffic which should be specific to the tunnel you are trying to bring up, but I of course could be wrong.
08-13-2008 10:52 AM
08-13-2008 11:01 AM
In your "show cry isa sa", the "type" should not be saying "user". It should be saying "L2L". Not sure why it's doing that, hopefully someone else can chime in.
I would try moving this one down the list.
no crypto map qdi 70 ipsec-isakmp dynamic remote
crypto map qdi 65535 ipsec-isakmp dynamic remote
08-14-2008 02:59 AM
That's a good point.
Can I do that remotely if I'm VPN'ed in?
Will it drop my connection?
David
08-14-2008 06:46 AM
Here's part of your issue. You hae a crypto map with tons of stuff defined but most of it is incomplete. When the ASA goes through the map process, it goes in order. Once it hits 60, it stops because it's not complete. To test this, just create a new crypto map with your peer only in it and apply that to the interface, or make sure your map is complete.
You seem to be passing phase IKE already so I think that might be where the issue is.
HTH
Chris
08-14-2008 06:49 AM
Just for clarification, I mean that the crpyto map will stop as soon as it gets to a number on there where all the info isn't there. So in your case at least in the new config, it's pretty much everything because you removed the ACL you were attempting to match against before.
-C
08-14-2008 08:19 AM
It appears moving the map to the head of the class is a winner. I think both ideas come into play here. By moving the map ahead of the dynamic map and the incomplete maps it works. I'm thinking the dynamic map was the main culprit since the other maps were complete originally. So much for trying to get a little ahead. One map at a time is the law. Thanks guys, really apprecitate the extra sets of eyes.
David
08-14-2008 04:45 PM
David,
glad it worked. Just so you know though, it really has 0 to do with the dynamic map. It has everything to do with the order of operations of the crypto map.
In any event, you are good to go so that's what's important..
-C
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide