cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4351
Views
0
Helpful
3
Replies

ASA 8.4(3) site to site VPN priority change?

joerggrau
Level 1
Level 1

I have a couple of remote sites I am connecting to over the Internet.

Now I am trying to add a S2S tunnel betweent he two sides.

My problem is that I have the original tunnel back to my main office as the tunnel with priority 1 and the second tunnel I created has priority 2.  The problem is that both ranges are in the same basic network range.

Home office 10.0.0.0/8 (includes all kinds of other locations)

Remote 1 10.1.0.0/16

Remote 2 10.2.0.0/16

The first tunnel to/from Remote 1: 

local 10.0.0.0/8 --> 10.1.0.0/16 (and vice versa)

The first tunnel to/from Remote 2:

local 10.0.0.0/8 --> 10.2.0.0/16 (and vice versa)

Tunnel between Remote 1 and 2:local 10.1.0.0/16 and 10.2.0.0/16.

Now because the original tunnel has higher priority and includes the networks of the second priority tunnel the second tunnel never comes up and traffic from remote 1 to remote 2 flows via the main office.

Is there a way to change the priority in retrospect?

Thanks

Joerg

3 Replies 3

johnnykaye
Level 1
Level 1

Sure, you can change priority by changing the sequence numbers, the lower the number the higher the priority. However, in your case changing the priority would just put the problem on its head, i e all traffic would go towards tthe second tunnel instead. Thus, you'd need to narrow the "from" part of the statement down as well, at least for the one that are given highest priority.

Hope this helps,

best,

Johnny

So can I simply go ahead and make the changes like below:

Current:

crypto map Internet_map1 1 match address Internet_cryptomap

crypto map Internet_map1 1 set peer 100.100.100.100

crypto map Internet_map1 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Internet_map1 2 match address Internet_cryptomap_1

crypto map Internet_map1 2 set peer 200.200.200.200

crypto map Internet_map1 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

to the following:

no crypto map Internet_map1 1 match address Internet_cryptomap

no crypto map Internet_map1 1 set peer 100.100.100.100

no crypto map Internet_map1 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Internet_map1 10 match address Internet_cryptomap

crypto map Internet_map1 10 set peer 100.100.100.100

crypto map Internet_map1 10 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

^z

wr mem

I assume all connections will be dropped at that point, but should re-establish by themselves.

Thanks

Joerg

Yes, or add the new one first and delete the old one after that, either way. And yes, the tunnels will go down, and then up again when interesting traffic comes along.

But the way I understood your initial post you'd also need to edit the ACLs in order to achieve what you want, changing priorities is only half the job, if ACLs for both tunnels currently catch the same source scope.

Also, on a side note - if you're going to do wr mem, you'll probably want to have a backup of the startup-config, by doing a "copy start tftp" before you start editing. That way, if things get out of hand, you can easily get the old config up and running without passing a load of commands.

Best,

Johnny

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: