Ran into an issue last night troubleshooting my home EZVPN setup, it wouldn't connect, and kept referencing the ACL, but the ACL is correct. It wasn't until I logged into an 851 with EZVPN that I found the problem. If you exceed 50 lists for split tunneling, the connection fails. There are only 7 EZVPN connections to an ASA5505, and only 3 networks for split tunneling, two single public IP's and 10.0.0.0/8.
Here is what I am seeing, for each VPN client there is an entry for the three subnets on each client, There were 17 client subnets configured using an object group with a single ACL,
access-list EZ-VPN-Split permit ip object-group EZVPN object-group EZVPN-Users
each client router was receiving 51 subnets to encrypt, all of the them were duplicates of the three subnets in the EzVPN to encrypt object-group.
How do I prevent this from happening? The ASA5505 only supports 10 peers, so that would be 30 routes. They should only see 3 from what I understand, do I need to setup the ACL different?
In reality, platforms such as the 8xx and 17xx can only support a much smaller number of security associations (SAs). The number of such split tunnel and connect ACL do not pose a problem with EZVPN VI, where only a single SA is setup regardless of the number of split tunnels or connect ACL counts. We want to restrict the count to below platform limits, by restricting the number of SAs that are setup, and ignoring the overflow.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :