cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1003
Views
0
Helpful
15
Replies

CSM 3.1.1 VPN discovery fails

ckuriyar74
Level 1
Level 1

I have already site to site VPN's configured b/w ASA 5505 with 7.2(3)and ASA 5510 with 8.0(3)

These ASA's are added in CSM and while discovering VPN I get the error message discover failed " A valid crypto map missing on the interface "

But Iam able to discover site-to-site VPN in other ASA boxes running with 7.2(3) and 8.0(3) images.

Also I have ASA 5510 (8.0.3) with two interfaces enbaled for multiple ISP's and configured site-to-site VPN on both interfaces.

The problem is Iam unable to discover the VPN in CSM 3.1.1 and get the error message " Crypto map applied to more than one interface "

Can any one help me to solve this issues.

15 Replies 15

dradhika
Cisco Employee
Cisco Employee

Can you attach the config of ASA device for the first issue?

Thanks,

Radhika

I have attached the config of ASA 5505 & 5510

The site-to-site VPN's are working fine when configured using CLI but unable to discover VPN in security manager.

Hi,

Discovered the attached configs in CSM latest version. Discovery is working fine. No error messages are given. I did P2P discovery. Did you use the same when you got the error message?

Thanks,

Radhika

Hi Radhika,

Thanks.

Iam using CSM release 3.1.1 with SP3 and I get the error message when tried P2P discovery.

I just wanted to know on what release did you manage to discover successfully?

Its 3.2.1. Protected networks were not discovered. I think that's just because of the acls with missing ip address.

Thanks,

Radhika

I tried with 3.2 and without RME installed but I get the same error.

Does it require RME to be installed?

Thanks,

Chandru

Hi Chandru,

No. I don't think the problem is related to RME.

Might be because of the dynamic crypto map on 5510 you are getting the error message. Just guessing not sure. Can you try removing the line and check if it works,

crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP.

Also this line is missing in your configs -

sysopt connection permit-ipsec . Can you add this to both the files before discovering?

Thanks,

Radhika

I have other site-to-site VPN's configured in ASA 5510 and iam able to discover successfully using CSM 3.1.1

I have two site-to-site VPN configured in ASA 5505 to remote sites having ASA 5510 & PIX 515E. The issue is I can't dicover both VPN configured with ASA 5505 in CSM.

The discovery of VPN in PIX 515E is fine.

Thanks,

Chandru

I tried these options but no luck.

I have other site-to-site VPN's configured in ASA 5510 and iam able to discover successfully using CSM 3.1.1

I have two site-to-site VPN configured in ASA 5505 to remote sites having ASA 5510 & PIX 515E. The issue is I can't dicover both VPN configured with ASA 5505 in CSM.

The discovery of VPN in PIX 515E to other remote sites is fine.

Thanks,

Chandru

Hi Radhika,

Finally I was able to figure out the problem.

My ASA 5505 is behind DSL router and ASA outside interface in NATed in DSL router.

If I change the ASA5505 outside interface to real outside address I could able to discover the VPN successfully in my test system.

Same way I had another issue where ASA5510 is enabled crypto map with 2 interfaces and I had issue with discovery of VPN. If I remove crypto map in one of the interface Iam able to discover the VPN.

But Iam not able to discover VPN with original configs.

Any idea to resolve this issue?

Thanks,

Chandru

Not sure if I understand what you meant.

Do you mean that still you cannot discover the VPNs?

If so,

1. can you try discovering from the files instead of from the live devices?

2. If you try discovering just the devices with RA policies, do you see any error message?

3. Is the basic discovery of the devices without any policy discovery working? (Is Device reachable from CSM?)

Thanks,

Radhika

1. Iam still cannot discover the VPN's using the original config files.

2. Basic discovery of device works fine and the device is reachable from CSM.

I will explain in details.

I have ASA5505 behind DSL router and ASA outside interface 192.168.194.2 is NATed in DSL router to a public address with all traffic opened.

Issue:- If I remove the ASA outside interface address 192.168.194.2 and put real outside address in the configuration file the discovery of VPN works fine and with address 192.168.194.2 it fails to discover the VPN with error message " Missing a valid crypto map on the device "

I have ASA5510 configured two interfaces for VPN with crypto map enabled. The basic discovery of this device is fine and it's reachable from CSM.

Issue:- If I remove the crypro map in any of the interface in the config file the discovery of VPN works fine but crypto map enabled with both interfaces discovery of VPN fails with error message " Crypto map enabled in one or more interfaces "

I think you can understand what I explained.

Thanks,

Chandru

Hi Chandru,

issue1:- When you are using the interface address 192.168.194.2, did you update even the configuration on the peer device with crypto map set peer ip address to 192.168.194.2 instead of the natted address?

issue2:- CSM allows only one interface to be configured ass VPN interface. That is the reason discovery throws the error message that crypto map is enabled on more than one interface. This is the implementation I guess.

HTH,

Radhika

Hi Radhika,

Issue1:- No, I use the peer address as natted address instead of 192.168.194.2 on the peer device.

Issue2:- Is there any solution that CSM supports crypto map enabled more than one interface OR there is no solution?

Thanks,

Chandru

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: