L2L VPN using Dynamic IP -- issue

Answered Question
Sep 20th, 2010
User Badges:

Dear All,


I am having multiple sites with with dynamic IP address.


At HO I am having a cisco router with dynamic IP address, in which internet port forwarding configured and VPN terminated on ASA.


I am having 40 Branches will all dynamic ip. all L2L tunnels are up and running.


my issue is that, from branch to HO communication is perfect but from HO I am not able to access ant of the branch resourcess.


could somebody help  me to resolve this issue..... Config is attached.

Correct Answer by Marcin Latosiewicz about 6 years 10 months ago

AHA!


I understand the setup a little bit better.


It seems that your routers are doing destination NAT , so all tunnels appear to be coming from "172.16.40.0/23" subnet.


And indeed your assumption is correct problem appears to be related to lack of correct routes pointing to the outside. (at least it seems so for now).

However reverse route injection should take care of it.


Speaking of which I noticed your tunnels land on

crypto dynamic-map alfa  and not the system default.


Please add "crypto dynamic-map alfa 1 set reverse" and restart one of the tunnels (do not reload the spoke, just clear isakmp or ipsec session for it).


We'll see from there.


Marcin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marcin Latosiewicz Mon, 09/20/2010 - 08:01
User Badges:
  • Cisco Employee,

Please check logs on ASA during running the test for IP address you're testing with.

Make sure you're logging at least on informational level.


I'm curious, why aren't you using ezvpn in NEM mode instead of l2l?


Marcin

jibsoni@hotmail.com Tue, 09/21/2010 - 00:43
User Badges:

Hi Marcin,


Thanks for your support. This was done by some other company and now i am taking care of the network.


I am having doubt on cisco ASA (HO), there is no access-list configured on asa but in branch ACL is configured


Please clarify my doubt


when I am trying to access branch from HO, how asa will forward the traffic to that pirticular branch . But when i access HO from branch it will take VPN ACL and will go out (I am able to access all HO resources from BR).


One more information --- I have two Internet routers in HO, 20 baranches are connected to one and 20 to other. in ASA there is no default gateway        configured


Please suggest me a solution.

Marcin Latosiewicz Tue, 09/21/2010 - 01:38
User Badges:
  • Cisco Employee,


Let me address those one by one.



1. Regarding crypto ACL - since we don't know which peer is going to tunnel which subnets (proxy IDs) we rely on the client to request correct proxy IDs. This the other side will request something and we will accept it as proxy IDs for that peer. That's OK with dynamic IP for L2L peers.


2. See answers above, correct proxy IDs are installed on the ASA (or should be).


3. That's indeed interesting.

Can you add "crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse" to your configuration.

If there are two possible routers to go out via ... are they in HSRP or something? Is ASA visible via different IP addresses on the outside depending which dynamic peer connects?



Can you please attach a topology diagram?


Marcin

jibsoni@hotmail.com Tue, 09/21/2010 - 03:14
User Badges:

Thanks for your valuable time


As you adviced i have added "crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse" but the result was same (cant access branch from HO) and i am not using any HSRP configurations on internet routers


I am not aware about proxy settings (correct proxy IDs are installed on the ASA). is it required  ?


As per the diagram all locations are using ADSL and port forwarding is configured on both internet for VPN ports . Kindly go throught the attached diagram  and suggest me .

Attachment: 
Marcin Latosiewicz Tue, 09/21/2010 - 07:36
User Badges:
  • Cisco Employee,

The ASA installs proxy IDs based on what dynamic peers asks.


Did you try to teardown the tunnel after you added reverse route injection?



Can you please attach "show vpn-session" and "sho route" .



I would also check logs if it's the ASA dropping those packets.


--------

conf t

logg buffered info

logg buffer-size 1000000

--------


initiate the test and check for me:

-------

sh logg | i SOURCE_IP

sh logg | i DESTINATION_IP

-------


Marcin

jibsoni@hotmail.com Tue, 09/21/2010 - 23:59
User Badges:

Thank you Marcin


I have rebooted one of the branch router after adding revers route injection.


Kindly check the attached logg file which you requested.

Attachment: 
Correct Answer
Marcin Latosiewicz Wed, 09/22/2010 - 00:36
User Badges:
  • Cisco Employee,

AHA!


I understand the setup a little bit better.


It seems that your routers are doing destination NAT , so all tunnels appear to be coming from "172.16.40.0/23" subnet.


And indeed your assumption is correct problem appears to be related to lack of correct routes pointing to the outside. (at least it seems so for now).

However reverse route injection should take care of it.


Speaking of which I noticed your tunnels land on

crypto dynamic-map alfa  and not the system default.


Please add "crypto dynamic-map alfa 1 set reverse" and restart one of the tunnels (do not reload the spoke, just clear isakmp or ipsec session for it).


We'll see from there.


Marcin

jibsoni@hotmail.com Wed, 09/22/2010 - 01:12
User Badges:

Hi Marcin,


That worked.............. I just added crypto dynamic-map alfa 1 set reverse and restarted the tunnel


Thanks a loooooooot for ur support and the time you spend for this issue.

jibsoni@hotmail.com Wed, 09/22/2010 - 01:49
User Badges:

one quick question


In HO I am having 2 subents 192.168.0.x and 192.168.5.x. from 192.168.0.x branch is accessable but from 5.x branch is not accessable .

any solution for this .


do i need to configure vpn acl or not ?

Marcin Latosiewicz Wed, 09/22/2010 - 02:57
User Badges:
  • Cisco Employee,

Normally you should not ...


Is this happening all across the spokes or only on some?


Can you show me "show crypto ipsec sa | i caps|ident|spi|peer" output.

Actions

This Discussion