Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site-to-Site VPN upgrade from 8.2 --> 8.3 --> 8.4

Hello all,

I done some searching to find where my mistake is, but I have come up empty so I was hoping someone might be able to shed some light on the situation. I recently just upgraded an ASA from 8.2 up to 8.4 (8.4(4)1 to be specific). We have two site-to-site VPNs coming into the ASA and one of the VPNs came up and the other did not. It looks like it is not even getting to the isakmp exchange. However I noticed that one ASA is setup with the crypto map that points to a ACL using and object-group and the one that is working uses a crypto map that points to an object network. Should the auto convertion process of upgrading the code converted the object-group to an object network or is this still a valid way to define interesting traffic on the ASA?

Also for my NAT statement to exempt traffic I have seen many people using the identity nat without the no-proxy-arp and route-lookup additions and some with. Which is the correct way in 8.4? Any information would be very much appreciated!

Best Regards,

Alan

1 ACCEPTED SOLUTION

Accepted Solutions

Site-to-Site VPN upgrade from 8.2 --> 8.3 --> 8.4

Hello Alan,

The route-lookup is for a bug when you are unable to ping the inside interface from the other side of the tunnel.

Now as long as the crypto ACL is properly set does not matter if you are using one of the other...

You can share both site to site configs and I can check them if you like

Please rate all the helpful posts

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
2 REPLIES

Site-to-Site VPN upgrade from 8.2 --> 8.3 --> 8.4

Hello Alan,

The route-lookup is for a bug when you are unable to ping the inside interface from the other side of the tunnel.

Now as long as the crypto ACL is properly set does not matter if you are using one of the other...

You can share both site to site configs and I can check them if you like

Please rate all the helpful posts

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Site-to-Site VPN upgrade from 8.2 --> 8.3 --> 8.4

Hi Julio,

Thanks for the response I rechecked the crypto map acls and discovered they were not the same on both end of the VPN tunnel. There was also a routing problem so traffic wasn't necessarily routing properly to the VPN tunnel. Thanks for your suggestion it helped!

Best Regards,

Alan

382
Views
0
Helpful
2
Replies