I am having some issues with the L2L VPN between Cisco router and ASA. I know that ASA creates L2L VPN tunnel on demand when the traffic needs to pass and then tears it down when there is no traffic passing the tunnel but how about the VPN with a router?
What I noticed (after configuring the VPN) the tunnel is down. From the router I cannot establish the tunnel (by pinging from the subnet behind the router to the subnet behind ASA) but from ASA yes, the tunnel goes up and even stays up all the time, ASA does not tears it down when the traffic is not passing.
I will have a scenario where I will need to access the subnet behind ASA from the subnet behind the router but how do I make this work, how do I initiate the tunel from the router?
Unless you change the very basic settings that Cisco devices usually have for L2L VPN then there is only one reason that quickly comes to mind without seeing the configurations of the ASA and Router.
It might be that your ASA is configured with Dynamic Crypto Map configurations for VPN Client connections also and they are set too high in the priority in the "crypto map" configurations lines.
This would result in a situation where your ASA would be able to initiate the connection just fine but the Router would be unable to open the L2L VPN connection when its down since its connection attempts would always fall to the Dynamic Crypto Map configurations on the ASA.
I am not sure if this is the problem but its one situation where I have seen such behaviour.
Naturally the configurations of the devices might tell us more.
Thanks for the suggestions. In fact on the ASA I have static crypto maps and the router is the one with the dynamic crypto map attached to the static cryptop map.Does it make any difference on the router side? I tried the VPN with static maps only on the router but that did not work for me.
Do you have any config examples for router to ASA VPN with the tunnel to stay up all the time?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...