Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2L VPN using Dynamic IP -- issue

Dear All,

I am having multiple sites with with dynamic IP address.

At HO I am having a cisco router with dynamic IP address, in which internet port forwarding configured and VPN terminated on ASA.

I am having 40 Branches will all dynamic ip. all L2L tunnels are up and running.

my issue is that, from branch to HO communication is perfect but from HO I am not able to access ant of the branch resourcess.

could somebody help  me to resolve this issue..... Config is attached.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: L2L VPN using Dynamic IP -- issue

AHA!

I understand the setup a little bit better.

It seems that your routers are doing destination NAT , so all tunnels appear to be coming from "172.16.40.0/23" subnet.

And indeed your assumption is correct problem appears to be related to lack of correct routes pointing to the outside. (at least it seems so for now).

However reverse route injection should take care of it.

Speaking of which I noticed your tunnels land on

crypto dynamic-map alfa  and not the system default.

Please add "crypto dynamic-map alfa 1 set reverse" and restart one of the tunnels (do not reload the spoke, just clear isakmp or ipsec session for it).

We'll see from there.

Marcin

12 REPLIES
Cisco Employee

Re: L2L VPN using Dynamic IP -- issue

Please check logs on ASA during running the test for IP address you're testing with.

Make sure you're logging at least on informational level.

I'm curious, why aren't you using ezvpn in NEM mode instead of l2l?

Marcin

New Member

Re: L2L VPN using Dynamic IP -- issue

Hi Marcin,

Thanks for your support. This was done by some other company and now i am taking care of the network.

I am having doubt on cisco ASA (HO), there is no access-list configured on asa but in branch ACL is configured

Please clarify my doubt

when I am trying to access branch from HO, how asa will forward the traffic to that pirticular branch . But when i access HO from branch it will take VPN ACL and will go out (I am able to access all HO resources from BR).

One more information --- I have two Internet routers in HO, 20 baranches are connected to one and 20 to other. in ASA there is no default gateway        configured

Please suggest me a solution.

Cisco Employee

Re: L2L VPN using Dynamic IP -- issue


Let me address those one by one.

1. Regarding crypto ACL - since we don't know which peer is going to tunnel which subnets (proxy IDs) we rely on the client to request correct proxy IDs. This the other side will request something and we will accept it as proxy IDs for that peer. That's OK with dynamic IP for L2L peers.

2. See answers above, correct proxy IDs are installed on the ASA (or should be).

3. That's indeed interesting.

Can you add "crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse" to your configuration.

If there are two possible routers to go out via ... are they in HSRP or something? Is ASA visible via different IP addresses on the outside depending which dynamic peer connects?

Can you please attach a topology diagram?

Marcin

New Member

Re: L2L VPN using Dynamic IP -- issue

Thanks for your valuable time

As you adviced i have added "crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse" but the result was same (cant access branch from HO) and i am not using any HSRP configurations on internet routers

I am not aware about proxy settings (correct proxy IDs are installed on the ASA). is it required  ?

As per the diagram all locations are using ADSL and port forwarding is configured on both internet for VPN ports . Kindly go throught the attached diagram  and suggest me .

Cisco Employee

Re: L2L VPN using Dynamic IP -- issue

The ASA installs proxy IDs based on what dynamic peers asks.

Did you try to teardown the tunnel after you added reverse route injection?

Can you please attach "show vpn-session" and "sho route" .

I would also check logs if it's the ASA dropping those packets.

--------

conf t

logg buffered info

logg buffer-size 1000000

--------

initiate the test and check for me:

-------

sh logg | i SOURCE_IP

sh logg | i DESTINATION_IP

-------

Marcin

New Member

Re: L2L VPN using Dynamic IP -- issue

Thank you Marcin

I have rebooted one of the branch router after adding revers route injection.

Kindly check the attached logg file which you requested.

Cisco Employee

Re: L2L VPN using Dynamic IP -- issue

AHA!

I understand the setup a little bit better.

It seems that your routers are doing destination NAT , so all tunnels appear to be coming from "172.16.40.0/23" subnet.

And indeed your assumption is correct problem appears to be related to lack of correct routes pointing to the outside. (at least it seems so for now).

However reverse route injection should take care of it.

Speaking of which I noticed your tunnels land on

crypto dynamic-map alfa  and not the system default.

Please add "crypto dynamic-map alfa 1 set reverse" and restart one of the tunnels (do not reload the spoke, just clear isakmp or ipsec session for it).

We'll see from there.

Marcin

New Member

Re: L2L VPN using Dynamic IP -- issue

Hi Marcin,

That worked.............. I just added crypto dynamic-map alfa 1 set reverse and restarted the tunnel

Thanks a loooooooot for ur support and the time you spend for this issue.

Cisco Employee

Re: L2L VPN using Dynamic IP -- issue

Glad to be of help ;-)

Until next time.

Marcin

New Member

Re: L2L VPN using Dynamic IP -- issue

one quick question

In HO I am having 2 subents 192.168.0.x and 192.168.5.x. from 192.168.0.x branch is accessable but from 5.x branch is not accessable .

any solution for this .

do i need to configure vpn acl or not ?

Cisco Employee

Re: L2L VPN using Dynamic IP -- issue

Normally you should not ...

Is this happening all across the spokes or only on some?

Can you show me "show crypto ipsec sa | i caps|ident|spi|peer" output.

New Member

Re: L2L VPN using Dynamic IP -- issue

I am always trying with one branch . I beleive the same is happening to all branches

Please check the output of the command attached

571
Views
0
Helpful
12
Replies
CreatePlease to create content