Cisco VPN :: ASA5510 Site To Site Tunnels Suddenly Goes One-way

May 15, 2011

I have a setup with a pair off ASA5510 on the central site, and approx 20 sites with ASA5505.A couple off network are configured as site to site tunnels to every remote site.Its very stable, but the last year or so ocassionally one of the tunnels go one-way.Just like one of the nat exeptions suddenly stops working.I can see the remote side transmitting packets, but no answer.Central site is running 8.22, want to upgrade but have to mount more RAM.The only cure i have found is to reboot the central pair off ASA5510, not very popular as all 20 tunnels goes down.

View 1 Replies


Cisco VPN :: Multiple Site To Site IPSec Tunnels To One ASA5510

Dec 4, 2012

Question on ASA VPN tunnels. I have one ASA 5510 in our corporate office, I have two subnets in our corporate office that are configured in the ASA in a Object group. I have a site to site IPSEC tunnel already up and that has been working. I am trying to set up another site to site IPSEC tunnel to a different location that will need to be setup to access the same two subnets. I'm not sure if this can be setup or not, I think I had a problem with setting up two tunnels that were trying to connect to the same subnet but that was between the same two ASA's. Anyways the new tunnel to a new site is not coming up and I want to make sure it is not the subnet issue. The current working tunnel is between two ASA 5510's, the new tunnel we are trying to build is between the ASA and a Sonicwall firewall.

View 3 Replies View Related

Cisco VPN :: How Many Roaming User And Site-to-site Vpn Tunnels Supported In ISR 2921

Sep 4, 2012

How many [concurrent and maximum] roaming user tunnel and site to site vpn tunnels are supported in ISR 2921 ..

View 5 Replies View Related

Cisco Firewall :: Max Number Of Clients And Site To Site VPN Tunnels On ASA 5505

Aug 15, 2012

I wanted to know the maximum VPN client sessions (using the Cisco VPN  client) and Site-to-Site VPN tunnels that I can connect to my ASA 5505  simultaneously.
In other words, if I have x VPN clients and y Site-to-Site  tunnels, at any time, does x + y have to be <= 10 (Total VPN Peers)?  If yes, can I upgrade to the security plus license to increase the Total VPN Peers to 25?

Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled

View 3 Replies View Related

Cisco VPN :: ASA 5520 - Routing Traffic Between Two Site To Site Tunnels

Feb 24, 2013

I am trying to establish routing between two Site to Site vpn tunnels, both of which are terminating on the same outside interface of my Cisco ASA.
find attached Network Diagram for the same. All Firewalls used are Cisco ASA 5520.
Both VPN tunnels between Point A and Point B, Point B and Point C too are up. I have enabled Same security level intra interface permit command also.
How do i enable traffic originating from LAN Subnets behind Point A to reach LAN Subnets behind Point C without having to create a Seperate tunnel between Point A and Point C

View 5 Replies View Related

Cisco Routers :: Site To Site VPN Tunnels From A RV042G Router?

Dec 15, 2012

I have an issue with 2 site to site VPN tunnels from a RV042G router. The issue is for both VPN tunnels is that in the logs, it is showing that when the RV042G router is trying to establish the tunnel, it is getting a response from the remote gateway internal address and not the Public address of the remote gateways. On the remote gateways I have other site to site VPN's terminating fine and the tunnels are passing traffic. I only have an issue with the RV042. On the VPN Tunnel page it shows for both tunnels waiting for connection.   This is an output from the log of the RV042G
Dec 17 15:19:48 2012VPN Log(g2gips0) #2174: sending encrypted notification INVALID_ID_INFORMATION to  203.43.XX.XXX:500 Dec 17 15:19:48 2012VPN Log(g2gips0) #2174: [Tunnel Negotiation Info] >>> Initiator Receive  Main Mode 6th packet Dec 17 15:19:48 2012VPN Log(g2gips0) #2174: [Tunnel Negotiation Info] >>> Initiator Receive  Main Mode 6th packet Dec 17 15:19:48 2012VPN Log(g2gips0) #2174: Peer ID is ID_IPV4_ADDR: '' Dec 17 15:19:48 2012VPN Log(g2gips0) #2174: we require peer to have ID '203.43.XX.XXX', but peer  declares '' Dec 17 15:19:48 2012VPN Log(g2gips0) #2174: we require peer to have ID '203.43.XX.XXX', but peer  declares '' Dec 17 15:19:48 2012VPN Log(g2gips0) #2174: sending encrypted notification INVALID_ID_INFORMATION to  203.43.XX.XXX:500 Dec 17 15:39:50 2012VPN Log(g2gips1) #2192: [Tunnel Negotiation Info] >>> Initiator Receive  Main Mode 6th packet Dec 17 15:39:50 2012VPN Log(g2gips1) #2192: Peer ID is ID_IPV4_ADDR: '' Dec 17 15:39:50 2012VPN Log(g2gips1) #2192: we require peer to have ID '203.47.XXX.XX', but peer  declares '' Dec 17 15:39:50 2012VPN Log(g2gips1) #2192: we require peer to have ID '203.47.XXX.XX', but peer  declares '' Dec 17 15:39:50 2012VPN Log(g2gips1) #2192: sending encrypted notification INVALID_ID_INFORMATION to  203.47.XXX.XX:500
VPN tunnel terminating on 203.43.XX.XXX is a Checkpoint firewall running R70 software version?VPN tunnel terminating on 203.47.XXX.XX is a Cisco ASA 5510 running ASA 8.2.4 software?As stated above, I have other VPN tunnels working fine. This RV042 is a replacement router as the original router suffered a power surge.

View 1 Replies View Related

Cisco VPN :: ASA5510 - Site To Site With Dynamic IP In One Site

Jan 27, 2012

i want configure VPN between backoffice which have ASA5510 firewall with static IP and site which have cisco router 1861 with dynamic IP.
how i can configure the site to site between them?

View 2 Replies View Related

Cisco VPN :: 1941 - Site-to-site Tunnels Go Down

Feb 8, 2013

I have vpn-concentrator on vyatta, 8 cisco 881w and 2 cisco 1941 with vpn site-to-site connected to vyatta. They all are in one ISP's vlan native L2 level.
I user pre-shared key, aes128 and md5 hash.
Traffic goes both sides, everything is okay, i strated cacti monitor of traffic and CPU, started netflow analyzer.
Sometimes one ipsec connection between any of branches go down, it doesn't have any extra CPU load, not more then 20-30%, no huge traffic but somewhy i recieve phone call like "i can't reach server" i check on vyatta - tunnels are down with one router, i do "reset vpn ipsec-peer N" and everything is ok.
I mentioned that when I added "keepalive periodic 10" on ciscos, tunnels started go down more often, for exmaple usually I recieve 1-2 phone calls during a day, whan I added this command, i started to recieve 4-5 phonecalls from branches.

it's always random tunnel down branch, today it was one 1941 and one 881w, yesturday it was 3 881w during all day

View 1 Replies View Related

Cisco VPN :: ASA5510 ISP Site To Site VPN Failover With Load Balancing

Apr 16, 2011

I have a ASA5510 actve/standby and create one site to site VPN with remote peer ip address xx.xx.xx.xx, Our VPN traffic running on 6 mb internet link for video conferancing traffic.Now client give another link 2 mb internet and client told to us our data traffic runnig on 2 mb link but this data traffic running on the same remote peer IP xx.xx.xx.xx.Secondly request also they need failover over the ISP we implement the same on ASA 5510.

View 0 Replies View Related

Cisco VPN :: Reverse Route Injection On ASA5510 Site-to-site

Jul 29, 2011

We have two ASA5510's connected to two different ISP's and both able to initiate a site-site IPsec connection to a remote site. Depending on the state of the ISP's either ASA may initiate this VPN.We use Reverse Route Injection into OSPF for VPN clients and it works fine with the route being distributed when a client connects and disappearing when there are no clients.So we thought we'd try it for our site-site VPN's. Unfortunately when we enable Reverse Route Injection the routes are distributed regardless of whether the VPN is up or not, so if one ASA has initiated a VPN it's reverse route is distributed (which is what we want) but the other ASA also distributes a route for it's non-existent VPN. The result is that our gateway routers see two OSPF routes and can't ascertain which route is actually up.
Is there any way to distribute the route using Reverse Route Injection (or any other method) only when a site-site VPN is actually up? For various reasons we can't use BGP or other gateway routing protocols.Our ASA5510 are currently running IOS 8.2(1)

View 2 Replies View Related

Cisco VPN :: Network-access Between ASA5505 And ASA5510 (site-to-site)

May 9, 2011

we set up a site-to-site-vpn between a 5505 and a 5510 (both asa8.3.1). We configured both sides using the VPN-Wizard in the ASDM. When we try to ping from the network behind the 5505 ( to any host behind the 5510 ( the tunnel gets established but the ping doesn't get trough. After that we tried to connect via RDP to any host behind the 5510 and it worked well (same with ssh, telnet,vnc etc.). Now we want to map a network-share on a 2008-Server behind the 5510 but it's not working. In the ASDM-Log I see some "denied by inside-access in"-messages for the ports 139 and 445. Isn't it right that the whole traffic in the vpn-tunnel bypasses the acl? Even if we open both ports we can't connect to the network-share?

View 1 Replies View Related

Cisco VPN :: ASA5510 - Sample Configure VPN Site To Site On ASA 5512-x V.9.1

Mar 18, 2013

sample configer ASA 5512-x v.9.1 for VPN site to Site, i use to configure on ASA 5510 V.8.2 but on ver 9.1 i never configure. my is use that i dont know to how to configure nonat. i saw some configration as in the attach file they just to show configure VPN but we did not see nonot on command.

View 2 Replies View Related

Cisco VPN :: Configure Site-to-site VPN Using 881 Router On End And Connecting To ASA5510?

Aug 22, 2011

I need to configure a site-to-site VPN using a Cisco 881 router on my end and connecting to an ASA5510 on my suppliers end.Our supplier has configured their end and I do not have access to their configuration.
They told us we have to NAT all inside address' to a single address ( as this is the only one they will let through their firewall/tunnel.I know how to set up the VPN but not too sure how to set up the NAT part.
My sanatized config is attached. The code I am using to NAT my inside network to the single address, and send all traffic accross the VPN tunnel as this address is correct? With the router running this config the VPN tunnel does not connect.

View 2 Replies View Related

Cisco WAN :: Site-to-Site VPN ASA5510 - 887VA Dropping Every 20 Seconds

Apr 21, 2013

I have an issue with a site-to-site VPN tunnel between a ASA5510 and 887VA.  I  have two tunnels connected to the ASA and one seems to be affected where by the tunnel is disconnected and brought up around every 20 seconds.  The tunnel is re-established instantly but this break in transmission is causing application issues.

View 2 Replies View Related

Cisco VPN :: Establish Site To Site VPN Between ASA5510 To 5520

Jul 26, 2011

I'm trying to establish site to site VPN between ASA5510 to ASA5520, scenario. [code] our Vendor said to nat the local network to specific ip and use that ip as local pool,here the configuration details [code] i create static nat but its doesn't work for me phase 1 is not up, how to create nat local network to

View 9 Replies View Related

Cisco VPN :: Establishing Site-to-Site VPN Between ASA5510 And Fortigate1000A?

Feb 8, 2012

I am trying to establish a Site-to-Site VPN to our customer. I am using ASA5510 and the customer was using Fortigate 1000A. The problem that we're having was regarding the IKE Phase 2, I think!. Cisco debug information indicates "All IPSec SA proposals found unacceptable!"

View 11 Replies View Related

Cisco VPN :: ASA5510 / Site To Site Vpn Access Blocked?

Sep 4, 2012

I have two sites connected using ASA5510 version 6.4(5)

   site A                                                     site B -- ASA -------internet ------------ASA --
From site A, i can vnc, rdp, telenet and ssh to site B, however from site B am not able to rdp, vnc telnet or ssh to site A (i can ping site A devices) guess am missing something in the policy but not sure if its in site A or Site B

View 4 Replies View Related

Cisco VPN :: Site-to-Site VPN Between C2921 And ASA5510

Jun 25, 2012

I setup site to site VPN between C2921 (site A) and ASA 5510 (site B). I am having problems with SA being deleted:
1: I can alwasy initiate VPN connection from Site B to Site A.
2: after VPN tunnel is up and idle for a while, SA is dropped and I lost VPN connection from Site A to Site B.
3: to get the connection back, I have to ping Site A from Site B
4: when the connection is established, it works fine!

View 3 Replies View Related

Cisco VPN :: ASA5510 Site-to-Site VPN Same LAN Subnets

Jan 21, 2013

I am setting up a VPN between my client and their owner, in order for the owner to access ressources at my clients site.Unfortunatly their owner already has an VPN connection to another site with the same subnet as the one on my clients site.I have setup a policy NAT to translate my clients internal LAN to a "NAT" LAN, and i can ping from my clients LAN to their owners LAN, but their owner can not reach any ressources at my clients LAN.
My client has a ASA5510 with a base license, but their owner has their firewall and routing "leased" or something like that, it actually was their ISP who configured the VPN settings. That means of course that i have very limited (no) access to the other site's firewall and I actually even dont know make and model of it.
And last but not least, the subnet the Owner needs to access is on my clients Core Switch and the ASA has an internal route to it.I have pasted in a interresting parts of the ASA config here below, the displayed subnets are not the real ones . [code]

View 2 Replies View Related

Cisco WAN :: ASA5510- Site-to-site Using DNS Name

May 31, 2011

I have some home office setups that have s2s VPNs which terminate on my netscreen SSG5.  I am moving off the SSG and onto an ASA5510 but not sure if or how I can make this work?  The end users do not have static IPs at this point.  I use dyn dns on their home routers to update their DHCP IPs from the providers.  If they can't get static IPs how can I specify the peer ID with a DNS name rather than IP address?

View 1 Replies View Related

Cisco VPN :: 5510 Site To Site VPN Access To Servers With Overlapped Remote Site

May 18, 2012

I have a requirement to create a site to site vpn tunnel on ASA 5510 from a remote site to my HO, ihave already other site-to-site tunnels are up and running on the ASA.The issue is my remote site has got the network address which falls in one of the subnet used in HO( requirement is only  My remote site need to accees couple of my servers in HO which is in subnet.

View 2 Replies View Related

Cisco VPN :: 5520 Requirement To Terminate Site-to-site VPN From Remote Site

Jun 17, 2012

We have ordered a pair of Cisco ASA5520 (ASA5520-BUN-K9).Now there is a requirement to terminate site-to-site VPN from remote site. Do we need VPN plus licence for this and how much it cost?

View 1 Replies View Related

Cisco VPN :: 877 / How To IPsec Site To Site Vpn Port Forwarding To Remote Site

Jun 13, 2012

The scenario where a Site to Site VPN tunnel has been established between Site A and Site B. Lan on Site A can ping Lan on Site B. My problem is a Printer behind Site B needs to be accessed by using the WAN IP address of Site A. Also i could not ping the remote lan or printer from the router.
Below are my configure on the Cisco 877 in site A.  
Building configuration... 
Current configuration : 5425 bytes
! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01
version 12.4
no service pad


View 1 Replies View Related

Cisco VPN :: 5505 - Site To Site Connected But Cannot Ping Remote Site

Oct 11, 2011

cisco products and am struggling getting a VPN going between an ASA 5505 and 5510.  I have a VPN created (using the VPN wizward on both) and it shows the VPN is up, but I can't ping the remote site (from either side).

View 11 Replies View Related

Cisco VPN :: ASA 5505 / Site To Site Vpn With One Site Always Initiate A Tunnel?

Feb 7, 2011

I have ASA 5505, i configured site to site vpn between central site and remote site and is working. Now the problem is we use remote site for troubleshooting purpose, so we need to create a tunnel from remote site to central site. I need to configure such a way that remote site can craete a tunnel to central site, but central site not able to create a tunnel, it just respond to remote site.

View 3 Replies View Related

Cisco VPN :: ASA 5505 Site To Site Connection / Remote Site?

Mar 6, 2011

i have 2 router asa 5505 with base license i wanna make site to site vpn connection and remote site using vpn client to connect first i have hdsl router with 5 public ip i wanna try it by giving 1 public ip to each router and try the vpn but nothing work?

View 1 Replies View Related

Cisco VPN :: ASA 5510 With 2 L2L Tunnels To Same Site / Network

Feb 24, 2010

I have an ASA  5510 at Site A with a L2L tunnel to another site, Site B. Single subnet at each site. In a few weeks we will be adding a second Internet connection to Site B, so both connections will be active. But we want traffic to go over the new connection unless it goes down, then use the other. How do I set that up on the ASA so it doesn't get confused as to which tunnel to take to get to the Site B subnet?

View 5 Replies View Related

Cisco :: IPSec GRE Tunnels And Traditional Site VPNs

Mar 21, 2011

I've been reading this site for a while, and finally decided to post I'm really interested to see what everyones opinion on this is.My company currently uses what i would call traditional site to site VPN's using crypto maps, main site has a pair of ASA's in HA and remote sites use ISR's like 1801's.I've recently been playing in my lab with GRE tunnels using IPSec protection (note this is config from my labs, so ip's and key's are just randomly selected)

View 17 Replies View Related

Cisco Firewall :: ASA5510 Configured One Site To VPN

Feb 10, 2013

i have  cisco  ASA5510  Firewall and  configured   one  site to VPN . i  want  to   configure  another  s2s vpn  in  the FW for  another  Site location.what  to  in the existing  Firewall  so that  2  site to site  vpn  can work.

View 4 Replies View Related

Cisco Firewall :: ASA5510 Cannot Connect To Site Through Appliance

Mar 22, 2011

I have an @Remote appliance through Ricoh for our copiers.  This appliance connects to their site to transfer meter readings and other information.  This appliance can't connect to their site to transmit data.  Ricoh is telling me the problem is on our firewill.  I have assigned the Ricoh appliance a static IP address in our network.  Our firewall is a Cisco ASA 5510.  I don't have much expereince with logging on the ASA, so I'm not sure what "teardown dynamic TCP translation from inside" means.  Is there something that is preventing this IP from contacting the Ricoh site? [code]

View 3 Replies View Related

Cisco VPN :: ASA5510 - Latency Through IPsec Vpn Site Tunnel

Apr 26, 2012

I have an asa 5510 that has many(17)ipsec vpn site tunnels on it.  One of the tunnels, one running to a c1900isr at the other end, is experiencing 400 to 500ms latency through it.  It does appear to be the tunnel only because there is no latency to the internet.  I cleared the tunnel group out and readded it to no effect.  isp says everything fine.  any other known causes for this

View 2 Replies View Related

Cisco Firewall :: ASA5510 8.4(5) Outside PPPOE Interface Not Available In Site

May 13, 2013

We have a Cisco ASA 5510 with:
-version: asa845-k8.bin
-ASDM: asdm-711-52.bin
Interface "Outside" is a PPPOE configuration.We currently have 36 site to site VPN connections up and running through the "Outside" interface. Now when we try to add, via ASDM, a new site to site VPN connection, we can not choose the "Outside" interface. The interface is just not available. All other interfaces are, bot those are inside interfaces.
I tried running ASDM on a different computer (thought that ASDM or java got corrupted perhaps), but the same problem appeared.Now when we "shutdown" the outside interface and "no shutdown" it again, the "Outside" interface is available again when you add a new site to site VPN profile.
Sidenote: if we check the current profile of a succesful running site to site VPN, it say's that it's using an inside interface. But that is, ofcourse, not possible.

View 3 Replies View Related

Cisco Firewall :: ASA5510 - Web Interface On NAS From Remote Site Across VPN Tunnel?

Dec 3, 2012

I have two routers on my internal network. is a Cisco ASA5510. is a Sonicwall NSA 3500
The sonicwall handles our site to site VPN tunnels.  The Cisco handles our client to site VPN connections.
I have a unit that points to (Cisco) for internet access.  All other clients on the network point to (Sonicwall) for internet access.The device in question, a Synology NAS, is using as it's IP address.
I'm trying to hit the web interface on the NAS from a remote site across our VPN tunnel.  The IP scheme on the remote end of the VPN tunnel is
Going through the VPN, I can hit every object on the network that uses .108 (Sonicwalll) as it's gateway.  However, I cannot hit the unit that uses .106 (Cisco) as it's gateway. 
I added a route statement (using ASDM) that routes all traffic destined to to the Sonicwall so it can send it back down the VPN tunnel.  If I'm understanding routing correctly, this should allow responses from NAS destined for to go back down the VPN tunnel.

View 4 Replies View Related

Copyrights 2005-15, All rights reserved