VPN to subinterface on ASA 5520

Unanswered Question
Apr 26th, 2010
User Badges:

Now, our VPN users connecting  whith Cisco VPN CLient to interface outside.

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address standby

ospf cost 10

But we gonna use new IP addresses, so i need to enable VPN users to connect to interface outside103.

I have allowed Interface "outside103" in ASDM: configur>remout access VPN>network access>IPSec connection Profiles>interface outside103(checkbox allow)

interface GigabitEthernet0/0.103

vlan 103

nameif outside103

security-level 0

ip address

ospf cost 10

But wile trying to connect log messges says that problem on phase 1 IKE SA...

Maybe ther are some more options to enable VPN on subinterface?

Or VPN is not supported on subinterfaces?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
laptev.valery Tue, 04/27/2010 - 00:03
User Badges:

our software is:
Cisco PIX Security Appliance Release Notes Version 8.0(4)

I got this for PIX:

"If a VPN tunnel is initiated using a physical interface, logical interfaces cannot participate in the VPN tunnel."

is that means that i need to disable VPN on phisical inteface, to allow it om a logical interfaces???

VPN client says:


Release 4.6 VPN Client error messages are different from those in the Release 4.0.x VPN Clients. With the 4.0.X version of the VPN Client, if there is a problem with the broadband provider, users get the following pop-up: "Secure VPN connection terminated locally by the client. Reason 412: The remote peer is no longer responding."

With the Release 4.6 VPN Client, there is no event message at all, the Client just states that it is not connected. If I enable connect history display, I get the following message: "Secure VPN connection terminated locally by the client. Reason 401: An unrecognized error occurred while establishing the VPN connection. Not connected."

Jennifer Halim Tue, 04/27/2010 - 01:35
User Badges:
  • Cisco Employee,

1) Do you still have ip address configured on the physical interface? and where does your default gateway point to?

2) Are you replacing the outside interface with the new IP, or the new IP is just extension to the old outside interface ip?

3) You can't have 2 default gateways on 2 different interfaces on ASA anyway, so

-- if the new IP is the extension of the existing public ip, then you would need to route the new ip range to the current outside interface, and you can use those new IP range for NAT.

-- if the new IP is the extension of the existing public ip, and you will be routing the subnet towards the existing outside ip, you can't use the new IP to terminate the VPN. You can only terminate on the ip address assigned to the interface of the ASA.

-- if the new IP is the extension of the existing public ip, and you would like to use the new IP for VPN termination, then you would need to assign the new ip to the outside interface, and route the existing outside subnet to the newly create interface IP.

Hopefully I haven't confused you. Let us know if you have any further questions.


This Discussion