- Cisco Employee,
Remote End Head End
mar 3950 -> asa 5505 vpn hard client --- wan cloud --- asa 5505 vpn server ---- 1841 head end
Gre tunnel between 3950 and 1841 head end.
EIGRP for routes back to remote end
ASA Version - Version 8.2(3)
1841 Version - C1841-ADVENTERPRISEK9-M), Version 12.4(22)YB
So this solution work great, routes are properly distributed from head end to the remote, thus client has access to all allowed resources sitting on head end.
Issue here is that is when the connection between the remote and headend goes down ( (vpn client goes down, or move to anothe subnet as the asa 5505 and mar are being used to provide a hardware contivity back to "home", portable hardware solution), there are problems with all GRE encapsulated packets from the 1841 to asa 5505
The problem I have seen is the GRE packets are not longer being encapsulated on the asa 5505 vpn server and tunnel over. All other packets (IGMP of known routes, ectt.) get tunneled to the remote end find. GRE encapsulated packets are being sent from the 1841 head end but not being encapsulated at the asa 5505 vpn server and tunneled to the remote end. They are just being sent straight to the next hop router.
Observing the ASA, it is clear based on the packet capture and 'show crypto ipsec sa' encap count, the ASA is not encapsulating the tunnel packets. The fix to the problem is to actually not on the ASA thought, it is to reboot the 1841 head end, and everything works again. I can not find anything in the ASA vpn server or 1841 head end that may be causing the problem. They only thing which really shouldn't matter as the ip access list picks up the encapsulated gre packet, is to add gre to the vpn list.
Any hints into possible config problems would be most appreciated. In the mean time I'm going to try a new head end router, see what happens....