cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
549
Views
0
Helpful
8
Replies

site to site VPN issue

adcorbett_2
Level 1
Level 1

Hello - I am trying to bring up a second site to site vpn tunnel to a site where I have an existing one, and I am having issues. Here is the lay out: Right now I have site A and site B, both sites have an ASA 5520. In site A I have a link out to the internet on gi0/3 and a link to the internet via a different ISP on gi0/2. In site B I have the same setup, gi0/3 to one ISP and gi0/2 to another. Currently I have a site to site VPN tunnel that is working from A -> B via the connections on ports gi0/3. Now, I try to add a second site to site tunnel via the wizard in ASDM for site A -> B on the ports gi0/2, and as soon as I apply it, I lose the first tunnel, and the new one does not come up. As soon as I remove the second one, the original tunnel is restored. A little confusing I know, but any help would be great.

8 Replies 8

andrew.prince
Level 10
Level 10

Can you post your "head end" asa config for review.

Sure here it is for site A. 71.x.x.x is the address at site B.

kwillacey
Level 3
Level 3

It only has one site to site tunnel config on it. Did you remove the config?

Yes, because when I add the new one, the existing one drops.

Yes, because when I add the new one, the existing one drops.

post the config of the extra tunnel?

Here are the latest configs. Disregard the original one as I have changed some things that have allowed me to keep the working tunnel from dropping.

The tunnel that is working fine is the one from Site A:nameif DR-FIOS to Site B:nameif Outside.

The tunnel not coming up is from Site A:nameif DR-FIOS2 to Site B:nameif DR-Tunnel.

Change from this:-

crypto map peer1 20 match address 170

crypto map peer1 20 set peer 74.Y.Y.Y

crypto map peer1 20 set transform-set myset

crypto map peer1 20 set reverse-route

crypto map peer1 interface DR-FIOS2

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map peer2 10 match address 169

crypto map peer2 10 set peer 71.X.X.X

crypto map peer2 10 set transform-set pix2

crypto map peer2 10 set reverse-route

crypto map peer2 interface DR-FIOS

to this:-

crypto map outside_map0 20 match address 170

crypto map outside_map0 20 set peer 74.Y.Y.Y

crypto map outside_map0 20 set transform-set myset

crypto map outside_map0 20 set reverse-route

crypto map outside_map0 interface DR-FIOS2

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map0 10 match address 169

crypto map outside_map0 10 set peer 71.X.X.X

crypto map outside_map0 10 set transform-set pix2

crypto map outside_map0 10 set reverse-route

crypto map outside_map0 interface DR-FIOS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: