Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EZVPN bug or feature?

Ran into an issue last night troubleshooting my home EZVPN setup, it wouldn't connect, and kept referencing the ACL, but the ACL is correct. It wasn't until I logged into an 851 with EZVPN that I found the problem. If you exceed 50 lists for split tunneling, the connection fails. There are only 7 EZVPN connections to an ASA5505, and only 3 networks for split tunneling, two single public IP's and

Here is what I am seeing, for each VPN client there is an entry for the three subnets on each client, There were 17 client subnets configured using an object group with a single ACL,

access-list EZ-VPN-Split permit ip object-group EZVPN object-group EZVPN-Users

each client router was receiving 51 subnets to encrypt, all of the them were duplicates of the three subnets in the EzVPN to encrypt object-group.

How do I prevent this from happening? The ASA5505 only supports 10 peers, so that would be 30 routes. They should only see 3 from what I understand, do I need to setup the ACL different?


Re: EZVPN bug or feature?

In reality, platforms such as the 8xx and 17xx can only support a much smaller number of security associations (SAs). The number of such split tunnel and connect ACL do not pose a problem with EZVPN VI, where only a single SA is setup regardless of the number of split tunnels or connect ACL counts. We want to restrict the count to below platform limits, by restricting the number of SAs that are setup, and ignoring the overflow.

CreatePlease login to create content