ASA5505 L2L multiple subnet problem

Unanswered Question
Sep 14th, 2009
User Badges:


I have a working L2L tunnel from Cisco ASA5505 to an Astaro security device. There are 4 remote LANs that are routed over this tunnel:,, and

However I cannot reach any remote device of this LAN but I can reach devices from the other 3 LANs.

The 'show crypto ipsec sa' shows that only IPSec seesions are established for the other LAN but not for

Can anyone tell me why? Any LAN limitation or is it not allowed to use public IP range for LAN? But It works just fine with the old Pix 501.

His is part of my configuration:

ASA Version 7.2(4)


interface Vlan1

nameif inside

security-level 100

ip address


object-group network test





access-list outside_cryptomap_10 extended permit ip object-group test

access-list outside_nonat_10 extended permit ip object-group test


global (outside) 1 interface

nat (inside) 0 access-list outside_nonat_10

nat (inside) 1


crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map raagfw02 10 match address outside_cryptomap_10

crypto map raagfw02 10 set pfs

crypto map raagfw02 10 set peer x.x.x.x

crypto map raagfw02 10 set transform-set ESP-AES-128-SHA

crypto map raagfw02 interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 13

authentication pre-share

encryption aes

hash sha

group 2

lifetime 7800

crypto isakmp nat-traversal 20


tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

Any soon response warmthly welcomed.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Mon, 09/14/2009 - 03:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


There are no limitations in terms of private/public subnets. The ASA doesn't really care one way or the other.

I assume that to get to all the remote VPN subnets you have to route out of the same interface ?

If so then there doesn't look to be a lot wrong with your config. Have you tried debugging ipsec to see what is happening when the tunnel is initiated ?

You may also want to verify that the Astaro is configured correctly.


kduong774 Mon, 09/14/2009 - 04:20
User Badges:

Hi Jon,

Thanks for fast response.

When I ping an device from I can see that IPSec sa is created but then remove again:

IPSEC: New embryonic SA created @ 0x0396ACB0,

SCB: 0x01D293F8,

Direction: inbound

SPI : 0x333C7B2B

Session ID: 0x0000000D

VPIF num : 0x00000002

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds


Sep 14 14:13:45 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: Invalid message id (9)

Sep 14 14:13:53 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x1d26588, mess id 0x954c9c0d)!

Sep 14 14:13:53 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, IKE QM Initiator FSM error history (struct &0x1d26588) , : QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent

Sep 14 14:13:53 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, sending delete/delete with reason message

Sep 14 14:13:53 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload

Sep 14 14:13:53 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Sep 14 14:13:53 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy, Local Proxy

Sep 14 14:13:53 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

I don't have any route set for the other subnet and still I can reach them.

Astaro is configured correctly.



This Discussion