I have a problem that I think is pointing back to the isakmp identity being set to hostname on an ASA.
I have configured ezvpn on a router, but it won't connect to an ASA. I can use the same groupname and password that I'm using in the router in the software client and it works fine. I configured another ASA with the crypto isakmp identity hostname, and the same thing happens. It says that none of the policies match. If I change the identity to address on the test ASA, I can connect with no problems.
I haven't changed the isakmp identity on the production one because I have sites that are connecting to us via ASAs and software clients (vendors and users). I have a domain name that resolves to two public addresses for vpn connectivity, and this is why I believe hostname was used. The ASA has a public address, but it can be natted to another address via a Fatpipe. Is there any workaround that I can do on the router, and if not, is there any bad effect on changing the identity on the ASA to address being that the public address could be natted to a different public address?
I've got a tac case opened on this, but they haven't been able to help me.
In case the HQ has only one public address. But you want to utilize 2 links by doing NAT for 2 ISPs.
Well, It's a good idea to do that. There are limitations I'm concerned about.
- Can't solve a hostname by using DNS. It can refer peer-name from a "name" command.
- Can't connect 2 links/ISPs at the same time because interesting traffic are overlapped when configuring 2 instances. Device will get confused
- Can do load-sharing such as SiteA uses ISP1(NATed at HQ) if ISP1 went down then go to ISP2(NATed at HQ).
- Can play around with DNS. You can specify peer as a name. Name can be resolve by DNS. If I have 10 branch sites and a device acting as DNS that will provide 2 public addresses(As round robin or something like that) when the people/10 branch sites are asking the IP address for doing peer. 5 branches should use ISP1. Other 5 branches should use ISP2.
- Can't connect 2 links/ISPs at the same time because interesting traffic are overlapped when configuring 2 instances.
Note: What the router can do is to solve the name. After that going to build the tunnel. You need the third device to reply 2 public ip addresses. What about FATPIPE? Let's check it out.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...