I'm troubleshooting a site-to-site VPN tunnel between our Cat 6506 w/ VPN module to peer's PIX-515. The peer's crypto config appears to be incorrect and has two tunnels built between it and our VPN module.
crypto map mymap 1 match address acl1
crypto map mymap 1 set peer 126.96.36.199
crypto map mymap 1 set transform-set myset
crypto map mymap 2 match address acl2
crypto map mymap 2 set peer 188.8.131.52
crypto map mymap 2 set transform-set myset
access-list acl1 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list acl2 permit ip 10.10.0.0 0.0.255.255 host 10.255.255.1
My question is how does the PIX determine which crypto peer (and subsequent SA) to send a packet to? In this example if a packet is sent from 10.10.1.1 to 10.255.255.1, does it match acl1 because it is sequentially higher than the next peer, or does it match acl2 because it is the longest-match for that packet?
I've tried looking through Cisco's website and documentation, but I cannot find the order of precedence for crypto tunnels and how packets are selected/sent.
If memory servers, I believe the lower map statement has priority. Therefore, everything going from 10.0.0.0 /8 to 10.0.0.0 /8 will be encrypted using the first mymap statement...however, both remote peers and transform sets are the same, so I'm not sure what you're trying to accomplish here.
The second crypto map statement should not be configured and is being removed. That is the first thing we identified on the peer that needed to be changed. I know that over-lapping networks can cause SPI errors (which is something we are seeing on our end), hence the reason we're troubleshooting.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...