I've attached a PDF with diagram to help explain. (Red traffic failover route, blue traffic normal data)
Basically traffic from 192.168.40.xxx needs to be able to talk to devices at 10.21.1.71 - traveling from cisco 861 to Cisco HQ via the VPN. In normal operation the satellite network passes traffic to the 861 for encryption. BUT when the Sat is Down the pepwave can failover to the Cisco via 3G.
The VPN ACL for the cisco to Cisco is already 192.168.40.xxx to 10.21.1.71.
So would the VPN ACL for the 3G (dynamic) to cisco be 192.168.40.xxx to 10.21.1.71. as well as the inteded destination is 10.21.1.71 and the source is 192.168.40.xxx?
Or would i need to route traffic differently?
And i assume the best way to do this is to use one Crypto map with different proirities?
So if I understand right with static map you are trying to build site to site vpn over satellite link and as a back up you have configured dynamic-map to accept dynamic connection from peplink 3G device over same WAN connection ?
If both the tunnels are built over same WAN interface , do note that if suppose both peers try to build tunnel at same time with router its going to keep only one ( since both peers presents same vpn network/proxy-id).
What exactly does happen whe you add dynamic profile? Lets say you have tunnel working fine with ASA and you add dynamic profile, does tunnel with ASA go down?
Debug logs should tell us why a tunnel is torn down.
debug crypto condition peer ipv4 <remote peer public IP> //** set the condition for both ASA and peplink device one by one.
collect following debugs:
debug cry isa
debug cry ipsec
After collecting the debugs turn it off using "undebug all"
your comments about the network are correct. The Satellite passes traffic to the cisco at a ground station to be encrypted to the cisco at HQ, once the sate is down the 3G tunnel needs to pass traffic to the ground station cisco for routing down the same tunnel to HQ
So both the pepwave and cisco 86X use the same ACL to access the HQ cisco via VPN. Would that cause both peers to present the same vpn network/proxy-id on same wan.
Only part of the pepwave 3G tunnel comes up (the part that doesnt include the same addresses as in the satellite link in the ACL.
Would you know of a way to get around this?
I only have access to the cisco 86X (on IOS) and pepwave so cant run the ASA commands. ill post what i have from the IOS though ASAP.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :