5510 Multiple Tunnels

Unanswered Question
Mar 12th, 2009
User Badges:

I have an ASA 5510 that has Remote Access VPN and a Lan-To-Lan set up and working great. Local nets and users on the RA net can access networks across the Lan-To-Lan no issues. I added a second Lan-To-Lan to another site and only the local network can access the remote network. Remote Access users can not. They can still access the original tunnel network, but not the second tunnel network.

The other end in this case is a Juniper firewall. Any ideas? My crypto map has the two L2L tunnels listed first and then the RA tunnel. Again, this works great on another L2L, just not this new one.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Thu, 03/12/2009 - 20:22
User Badges:
  • Cisco Employee,

You need to make sure that this particular lan to lan tunnel contains the pool of the vpn client defined as part of the local network going to the remote (juniper side) network and the remote juniper should have the same in a mirrored way.

macmad Fri, 03/13/2009 - 04:34
User Badges:

It does. It is configured for the local net and the RA net to communicate with teh network on the remote end. Another L2L tunnel on the same ASA works fine, but this one to the Juniper does not. Any known issues with Tunnels to Juniper FW's?

JamesLuther Fri, 03/13/2009 - 08:02
User Badges:
  • Silver, 250 points or more


It might be worth looking at the actual subnets that have been negotiated in the SA for each peer. Type

sh crypto ipsec sa

and check the lines "local ident" for each peer. For the first L2L tunnel what is it negotiated (maybe

It might just be the remote end hasn't configured your RA pool.


macmad Fri, 03/13/2009 - 08:22
User Badges:

Thanks James. The negotiated SA shows the correct subnets configured but shows errors related to the RA network SA so it seems the problem is on the Juniper side. The admin on the other end says the network/mask is correct but unfortunately I don't have access to confirm that.

Ivan Martinon Fri, 03/13/2009 - 08:26
User Badges:
  • Cisco Employee,

can you post your config, along with the show crypto ipsec sa

macmad Fri, 03/13/2009 - 09:14
User Badges:

Sure. Here's the relevant parts of the config (IP's modified) as well as the show crypto ipsec sa output. Thanks!!



This Discussion