5510 Multiple Tunnels

Unanswered Question
Mar 12th, 2009

I have an ASA 5510 that has Remote Access VPN and a Lan-To-Lan set up and working great. Local nets and users on the RA net can access networks across the Lan-To-Lan no issues. I added a second Lan-To-Lan to another site and only the local network can access the remote network. Remote Access users can not. They can still access the original tunnel network, but not the second tunnel network.

The other end in this case is a Juniper firewall. Any ideas? My crypto map has the two L2L tunnels listed first and then the RA tunnel. Again, this works great on another L2L, just not this new one.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Thu, 03/12/2009 - 20:22

You need to make sure that this particular lan to lan tunnel contains the pool of the vpn client defined as part of the local network going to the remote (juniper side) network and the remote juniper should have the same in a mirrored way.

macmad Fri, 03/13/2009 - 04:34

It does. It is configured for the local net and the RA net to communicate with teh network on the remote end. Another L2L tunnel on the same ASA works fine, but this one to the Juniper does not. Any known issues with Tunnels to Juniper FW's?

JamesLuther Fri, 03/13/2009 - 08:02

Hi,

It might be worth looking at the actual subnets that have been negotiated in the SA for each peer. Type

sh crypto ipsec sa

and check the lines "local ident" for each peer. For the first L2L tunnel what is it negotiated (maybe 0.0.0.0?)

It might just be the remote end hasn't configured your RA pool.

Regards

macmad Fri, 03/13/2009 - 08:22

Thanks James. The negotiated SA shows the correct subnets configured but shows errors related to the RA network SA so it seems the problem is on the Juniper side. The admin on the other end says the network/mask is correct but unfortunately I don't have access to confirm that.

Actions

This Discussion