EZVPN bug or feature?

Unanswered Question
Aug 19th, 2008

Ran into an issue last night troubleshooting my home EZVPN setup, it wouldn't connect, and kept referencing the ACL, but the ACL is correct. It wasn't until I logged into an 851 with EZVPN that I found the problem. If you exceed 50 lists for split tunneling, the connection fails. There are only 7 EZVPN connections to an ASA5505, and only 3 networks for split tunneling, two single public IP's and 10.0.0.0/8.

Here is what I am seeing, for each VPN client there is an entry for the three subnets on each client, There were 17 client subnets configured using an object group with a single ACL,

access-list EZ-VPN-Split permit ip object-group EZVPN object-group EZVPN-Users

each client router was receiving 51 subnets to encrypt, all of the them were duplicates of the three subnets in the EzVPN to encrypt object-group.

How do I prevent this from happening? The ASA5505 only supports 10 peers, so that would be 30 routes. They should only see 3 from what I understand, do I need to setup the ACL different?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Mon, 08/25/2008 - 12:56

In reality, platforms such as the 8xx and 17xx can only support a much smaller number of security associations (SAs). The number of such split tunnel and connect ACL do not pose a problem with EZVPN VI, where only a single SA is setup regardless of the number of split tunnels or connect ACL counts. We want to restrict the count to below platform limits, by restricting the number of SAs that are setup, and ignoring the overflow.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/eprod_qas0900aecd805358e0.html

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftezvpnr.html

Actions

This Discussion