Running ASA 5505 with version 8.2(2).
I have configured a backup peer with this crypto configuration:
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_1_cryptomap
crypto map outside_map 2 set peer Y.Y.Y.Y
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
The tunnel work fine when on peer 1, X.X.X.X (pinging between hosts at 192.168.1.2 and 10.0.1.3 on the private networks). When it switches over to peer 2, Y.Y.Y.Y the tunnel comes back up with Y.Y.Y.Y as the end-point as verified in 'show crypto ipsec sa'. However I cannont pass any traffic across when peer 2 is up. Note that the peer on the other side is a multi-WAN device and has X.X.X.X and Y.Y.Y.Y attached and the failure is created by unplugging X.X.X.X from the device..
When I run an ASA packet-trace command using ICMP (packet-trace input inside icmp 192.168.1.2 8 0 10.0.1.3 detail) at Phase 12 it drops the packet when it starts to encrypt the packet. With crypto debugs on it matches the crypto ACL early on in the Phases (Phase 3) so I know the packet is headed to the tunnel. See failure below. It says Flow is denied by configured rule.
Forward Flow based lookup yields rule:
out id=0xd8a5bc30, priority=70, domain=encrypt, deny=false
hits=420, user_data=0x0, cs_id=0xd8a5b548, reverse, flags=0x0, protocol=0
src ip=192.168.1.0, mask=255.255.255.0, port=0
dst ip=10.0.1.0, mask=255.255.255.0, port=0, dscp=0x0
Drop-reason: (acl-drop) Flow is denied by configured rule
I tried debug acl filter, but can't get the level above 1.
Any ideas on what else I need in the config or what else I can use to debug?
Have you tried, placing both the set peer statement under the same outside map :-
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set peer y.y.y.y
i need to do that on one of my firewall , but i got that information from cisco Tac ( verbly -- did not implement yet ) that it works well that way.
Hope it helps