ASA 5520 IPSec VPNs - Dropping subnets

gr11gr11gr11 · ‎10-17-2010

Hi All,

I have a Cisco ASA 5520 at Headoffice - and third party devices at branch offices. VPNs are configured such that traffic is only defines at Branch office end, at ASA crypto map - Traffic is defined as any to any. This is to avoid creating configs over and over again at ASA side when adding new sites, so that it can reuse existing policies and crypto maps.

But i have noticed for some VPNs - Users are unable to ping a server in any specific range say - 192.X.X.X. if i restart the tunnel or device at branch office its again accessible.

Is there anything that its idle timing out or any config i need to change.

Anybody has seen this and any remedy?

Thanks

gr11gr11gr11 · ‎10-17-2010

If i am not clear VPN at branch site has lets say few subnets defined:

10.X.X.X

172.X.X.X

192.X.X.X

while others keep on working 192 or 172 or any one goes missing while others are still there. So it drops only subnet not the whole n/w. I think its dropping rarely used ones. When i logon from ASDM and monitor VPN - it doenst show all subnets. ASA drops VPN to those subnets.

any advise how to cure this?

Jennifer Halim · ‎10-17-2010

Unfortunately you can't have "permit ip any any" for the crypto ACL for all peers/tunnels, as the unique crypto ACL defines which peer/tunnel the encrypted tunnel should be sent to. Hence you can't have overlapping subnets for each VPN peer. Native IPSec VPN is not routing base unfortunately, that's why you would need to define the exact subnets to identify which tunnel/peer to encrypt and send the traffic to, as the IPSec SA is created based on that.