2ISP only one ASA5500 (VPN) has problem

Unanswered Question
Aug 22nd, 2008

Dear All,

Now i had problem with VPN site to site(ASA5500).The tunnel is up but i cannot ping HQ to branch. when i show

crypto ipsec sa then i see pkts encaps as below :

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 778, #pkts decrypt: 778, #pkts verify: 778

Note: At HQ office one tunnel Branch_ISP1 is ok i mean HQ can communication to Branch

but tunnel VPN Branch_ISP2 is up, cannot ping to HQ and HQ cannot ping to Branch.

Pleae see in the attach file HQ and branch site.

please help me to solve this problem !!!!

Best Regards,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Marwan ALshawi Sat, 08/23/2008 - 01:57

i havt checked ur config yet

before that

i wanna know are you looking to achieve load balncing through two ISPs ?

if that the case with ASA u can do load balnacing with two ISPs trhough a vpn tunnels or two connections

u can achieve perimary and backup vpn

have a look at the following link might be helpful


please if helpful Rate

join_sn09 Mon, 08/25/2008 - 00:36

Hi marwanshawi,

On my configuration i just to do in the HQ use 2 ISP for VPN only.i mean some branch use ISP1 and other Branch use ISP2 only.

and your weblink that you gave me, it not for do VPN connection, it show backup.....

could you tell let me know on ASA 5500 it can do VPN 2 wan interface or not? if can could you see in my attach file as above this is correct or not?

Best Regards,


Marwan ALshawi Mon, 08/25/2008 - 01:40

u have those ACLs

access-list Branch_ISP1 extended permit ip

access-list Branch_ISP2 extended permit ip

and this map

rypto map Branch 2 match address Branch_ISP1

crypto map Branch 2 set peer

crypto map Branch 2 set transform-set Branch

crypto map Branch 3 match address Branch_ISP2

crypto map Branch 3 set peer

crypto map Branch 3 set transform-set Branch

will send the packet matched to host

becsue ur ACl isp1 and two the same source and dist

u need to make diffrent distination in this case the map and remote host will be selcted based on the matched ACl

for example make the brach lan u sent me then change the HQ ACl2 to

access-list Branch_ISP2 extended permit ip

in this case will selct the branch map 3 through host

!!also include this new ACL with the nat 0 for nat exemption !!!

and make sure befor that u can ping that host in other words u have connectivity to it

good luck

join_sn09 Mon, 08/25/2008 - 23:38

Dear marwanshawi,

Thank you for you help me :)

i follow up from you it ok for VPN but i have problem on my branch lan ( i mean that when we assigned ip add and so my client have two subnet. and some client use 192.168.3.x and some client use 192.168.2.x so it cannot communication.How can do and can communication ?

Nopte: let me tell that i want, i would like my branch have ASA5505 2 units and 2 ISP connect to HQ.

Best Regards,


join_sn09 Tue, 08/26/2008 - 20:01

Dear Marwanshawi,

Thank you for your fully support :)

i read the web link that you gate me already but i'm not clear some command, could i ask you some question...So on document it tell us only one wan interface(1ISP) but my system i had 2 wan interface(2ISP, so when i follow ACL from document is it possible for Branch to Branch( i mean one branch i use ISP1 and other Branch ISP2 and it different:

-crypto map ABC interface ISP1

-crypto map ABC interface ISP2

-crypto isakmp enable ISP1

-crypto isakmp enable ISP2

by the way do you idea for add route or do something on ASA01 can communication to ASA02?

Please see in the attach file.

Best Regards,


Marwan ALshawi Tue, 08/26/2008 - 20:12


is this two ASAs in the branch one office?

are the clients in 192.168.50.x/24 in one network?

if yes,

why u want them communicate through the HQ ASA!!! it is gonna be slower over the ISP then LAN???!!! let me know about this point!!

if u wanna all communication to go from ASA1 to HQ asa then ASA2 and vis versa u need to make the LAN connected to each branch ASA in diffrent subnet then we can achive it through VPN or routing whatever

just let me kow about ur goals and what u wanna achieve because i got confused about first point i asked u about it above !!

u can make VPN HQ to barnch and make the branch ASAs one primary and other as back up !! if u want

join_sn09 Tue, 08/26/2008 - 20:50

Dear Marwanshawi,

Yes, i had two ASA in the branch one office, some client use 192.168.2.x/24 and some client use 192.168.50.x/24.

i use like this because ISP1 have 128Kbps and ISP2 have 512Kbps so i need to use 2 connections for link to HQ if i use only one connection it cannot support my client.

Could you recommend me how can i do 2 wan interface like this for the standard diagram?

on my diagram that i showed you it can do fallover or not?

Best Regards,


Marwan ALshawi Tue, 08/26/2008 - 20:55

and u dont need any traffic between the branch client to go through vpn right?

i mean from PC on the branch to pc on the the same branch!!!

join_sn09 Tue, 08/26/2008 - 21:03

Dear Marwanshawi,

No, i need PC on the branch to Pc on the same branch and other branch too.

i mean all the branch and all the connection can communication.

Best Regards,


Marwan ALshawi Tue, 08/26/2008 - 21:21

Join u confused me

how many branches u have

the following ifo based on the following

PCs on the branch based on the diagram u sent me will comunicate directly because they are on the same network

and because u have divided them to two half based on the ASA default gateway

lets say

u have ur IPs in range of to

and from 1 to 126 they use ASA isp1 as default gateway

and from 129 to 254 they use the ASA isp2

u can dot through dividing the remote subnet which is /24 to two subnets on the VPN ACL

for example lets say the first half of the remote supnet use ISP1 andd the second one use ISP2

icould be done like

access-list 100 permite ip

access-list 100 permite ip

attached is a chnaged config of ur HQ ASA try it

if u have other branches then this will be diffrent topology than the one u have sent me

good luck

try it and let me now

join_sn09 Wed, 08/27/2008 - 00:43

Dear marwanshawi,

As i assigned ip add and other ip add on the branch i think my client still cannot communication because it 2 subnet.

Best Regards,


Marwan ALshawi Wed, 08/27/2008 - 03:40


ur clients on the branch lets say connected to switch

al on the subnet

just through ur DHCP if u have or staticly

client from 1 to 126 put thier defaultgateway as ASA1 and the rest ASA2 i though u already done this idea as u mentioned before !!

the only on the ASA ACL to match half the subnet

dose it make sense now!!!

join_sn09 Mon, 09/01/2008 - 02:21

Dear Marwanshawi,

Thank very much for your help!!!! :)

i understood that you told me .....

Good idea !!!!!

Best Regards,



This Discussion