Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
574
Views
0
Helpful
3
Replies

ASA 5510 VPN with remote dual wan

jacobdixon
Level 1
Level 1

‎01-10-2014 10:44 PM

I pretty much use the ASDM for configuring our pair of ASA 5510 and i'm having an issue with the site-to-site VPN's that I setup.

Basically the remote site has a Sonicwall that has dual WAN. Each WAN is configured and so is the VPN tunnel which is bound to "ZONE WAN" which means both of the WAN links.

It seems to cause problems when it fails over and I will get mesasges like: "IKE Initiator unable to find policy dual wan"

Based on my research this is beacuse there is another VPN connection profile using the same Remote Network but has a different peer IP. Well thats the thing is I want there to be two points for the VPN because when the remote Sonicwall fails over it will be coming from another external IP.

So under connectino profiles in ASDM it is like this:

1.1.1.1, outside, 192.168.1.0/24 (local network), 192.168.32.0/24(remote network)

2.2.2.2, outside, 192.168.1.0/24 (local network), 192.168.32.0/24(remote network)

1.1.1.1 being the Sonicwall's primary IP and 2.2.2.2 being the secondary IP.

Do I have this configured incorrectly and this is why I am running into these problems or better yet is there a better way to configure this?

Labels:
0 Helpful
3 Replies 3

jacobdixon
Level 1
Level 1

‎01-10-2014 11:01 PM

I think I got this figured out.

Instead of adding two connection profiles I only add one. Then I find the crypto map that it generated and open it up then place the second peer IP in the list for that crypto map.

I am using bidirectional and it seems to be working

0 Helpful

jacobdixon
Level 1
Level 1
In response to jacobdixon

‎01-14-2014 09:00 PM

Ok I don't think it is working properly.

Basically when the remote site fails over to the backup internet the VPN won't establish. I see this on the Cisco ASA 5510 when the backup internet is activated: "Xauth required but selected Proposal does not support xauth"

Here is what I have setup:

Main Side:

Cisco ASA 5510

One connection profile configured with the primary external IP of the branch location

On the crypto map that was generated with the connection profile it is set to bidirectional and I added the backup internet IP to the list of peer IP's

Branch Side:

Sonicwall NSA240

VPN is set to point to the ASA 5510 IP address

The vpn is bound to "ZONE WAN" for the interface

It is set using Main Mode with the password

What am I missing or what do I need to do to make this work properly?

0 Helpful

jacobdixon
Level 1
Level 1
In response to jacobdixon

‎01-15-2014 09:57 AM

The exact message on the Cisco ASA 5510:

XAuth required b ut selected Proposal does not support xauth, Check priorities of ike xauth proposals in ike proposal

QM FSM error (P2 struct &0xb4be2628, mess is 0xc54f7ba1)!

Removing peer from correlator table failed, no match!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents