Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX to ASA5510 L2L

I'm having a little trouble with this first of many l2l connections. The 2nd part of phase one seems to be failing and I can't put my finger on it, maybe another set of eyes could help. It's map 870, tunnel-group 204.87.234.40. Thanks in advance for any input.

See attachments

I tried to pare down the info to just pertinate stuff, but there is still lot there.

Thanks again

David VanHaaren

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: PIX to ASA5510 L2L

David,

glad it worked. Just so you know though, it really has 0 to do with the dynamic map. It has everything to do with the order of operations of the crypto map.

In any event, you are good to go so that's what's important..

-C

13 REPLIES
Green

Re: PIX to ASA5510 L2L

You should not use the same acl for all your vpn's.

ASA

access-list crypto_map_870 extended permit ip 10.3.0.0 255.255.0.0

access-list crypto_map_870 extended permit ip 207.78.40.0 255.255.255.0 192.168.0.0 255.255.0.0

crypto map qdi 870 match address crypto_map_870

crypto map qdi 870 set peer 204.87.234.40

crypto map qdi 870 set transform-set remotes

I would start there.

New Member

Re: PIX to ASA5510 L2L

Thanks for the idea.

The debug still comes up the same. It seems to only check the first couple of maps and when it doesn't find it's peer it stops. The other maps are not yet in use and most of them will be coming out. The license supports 200 vpn connections so I'm at a loss here.

David

Green

Re: PIX to ASA5510 L2L

Made a small error above.

access-list crypto_map_870 extended permit ip 192.168.0.0 255.255.0.0 10.3.0.0 255.255.0.0

Also, if you are not using access list l2ltunnel I would get rid of it as it contains duplications to the new acl you created.

New Member

Re: PIX to ASA5510 L2L

I caught the error and adjusted the ACl. I'm wondering if I need to take all the map entries out and start with just one and build from there? I was hoping I was just missing something obvious. The debug does show the right networks being assigned to the tunnel.

New Member

Re: PIX to ASA5510 L2L

Would anybody else have any suggestions. All comments,ideas, thoughts are welcome.

Green

Re: PIX to ASA5510 L2L

What does your config look like now? I still think it is an issue with the l2ltunnel acl including traffic which should be specific to the tunnel you are trying to bring up, but I of course could be wrong.

New Member

Re: PIX to ASA5510 L2L

Here's the config I've been trying with the changed ACl. At the bottom you can see it starts to establish then dies.

David

Green

Re: PIX to ASA5510 L2L

In your "show cry isa sa", the "type" should not be saying "user". It should be saying "L2L". Not sure why it's doing that, hopefully someone else can chime in.

I would try moving this one down the list.

no crypto map qdi 70 ipsec-isakmp dynamic remote

crypto map qdi 65535 ipsec-isakmp dynamic remote

New Member

Re: PIX to ASA5510 L2L

That's a good point.

Can I do that remotely if I'm VPN'ed in?

Will it drop my connection?

David

New Member

Re: PIX to ASA5510 L2L

Here's part of your issue. You hae a crypto map with tons of stuff defined but most of it is incomplete. When the ASA goes through the map process, it goes in order. Once it hits 60, it stops because it's not complete. To test this, just create a new crypto map with your peer only in it and apply that to the interface, or make sure your map is complete.

You seem to be passing phase IKE already so I think that might be where the issue is.

HTH

Chris

New Member

Re: PIX to ASA5510 L2L

Just for clarification, I mean that the crpyto map will stop as soon as it gets to a number on there where all the info isn't there. So in your case at least in the new config, it's pretty much everything because you removed the ACL you were attempting to match against before.

-C

New Member

Re: PIX to ASA5510 L2L

It appears moving the map to the head of the class is a winner. I think both ideas come into play here. By moving the map ahead of the dynamic map and the incomplete maps it works. I'm thinking the dynamic map was the main culprit since the other maps were complete originally. So much for trying to get a little ahead. One map at a time is the law. Thanks guys, really apprecitate the extra sets of eyes.

David

New Member

Re: PIX to ASA5510 L2L

David,

glad it worked. Just so you know though, it really has 0 to do with the dynamic map. It has everything to do with the order of operations of the crypto map.

In any event, you are good to go so that's what's important..

-C

173
Views
0
Helpful
13
Replies