We help IT Professionals succeed at work.
Get Started

Second Site-to-Site VPN on a crypto map not coming up

2,843 Views
Last Modified: 2012-05-10
I've got a ASA 5510 running ASA 8.2(2) happily serving a single Site-to-Site VPN tunnel. Now, I'm trying to add a second tunnel on the same interface and running into issues. Although the second tunnel is defined and looks OK in the config, I don't see it in the output of "sh crypto isakmp sa". Only the first tunnel shows and it's up and active.

If I enable isakmp and ipsec debugging and do a "clear isakmp sa",  I see the first tunnel connecting and coming up, but the ASA doesn't even seem to be trying to bring up the second tunnel. No connection attempts, no errors.

Here's what I have configured (relevant parts only). In this example, 11.11.11.11 is the ASA at Site1, 22.22.22.22 is the ASA at Site2, and 99.99.99.99 is my local outside interface.

object-group service SiteToSiteVPN
 service-object esp
 service-object udp eq isakmp
object-group network SiteToSiteVPNSources
 network-object host 11.11.11.11
 network-object host 22.22.22.22

access-list OUTSIDE-TO-INSIDE extended permit object-group SiteToSiteVPN object-group SiteToSiteVPNSources host 99.99.99.99

access-list FIRST-SITE-TO-SITE-VPN extended permit ip object-group SiteToSiteVPN-Site1-Targets object-group SiteToSiteVPN-Site1-Sources
access-list SECOND-SITE-TO-SITE-VPN extended permit ip object-group SiteToSiteVPN-Site2-Targets object-group SiteToSiteVPN-Site2-Sources
(these object groups are setup with appropriate source/target IP in each end's private address space)

nat (outside) 0 access-list VPN-NO-NAT
nat (inside) 0 access-list VPN-NO-NAT
(appropriate ACLs are setup to prevent NAT on the VPN traffic)

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map SITE-TO-SITE-VPN 1 match address FIRST-SITE-TO-SITE-VPN
crypto map SITE-TO-SITE-VPN 1 set peer 11.11.11.11
crypto map SITE-TO-SITE-VPN 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map SITE-TO-SITE-VPN 1 set security-association lifetime seconds 604800
crypto map SITE-TO-SITE-VPN 1 set security-association lifetime kilobytes 1024000000
crypto map SITE-TO-SITE-VPN 2 match address FIRST-SITE-TO-SITE-VPN
crypto map SITE-TO-SITE-VPN 2 set peer 22.22.22.22
crypto map SITE-TO-SITE-VPN 2 set transform-set ESP-3DES-SHA
crypto map SITE-TO-SITE-VPN 2 set security-association lifetime seconds 28800
crypto map SITE-TO-SITE-VPN 2 set security-association lifetime kilobytes 1024000000
crypto map SITE-TO-SITE-VPN interface outside

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 3600
crypto isakmp disconnect-notify
no vpn-addr-assign aaa
no vpn-addr-assign dhcp

tunnel-group 22.22.22.22 type ipsec-l2l
tunnel-group 22.22.22.22 ipsec-attributes
 pre-shared-key *****
tunnel-group 11.11.11.11 type ipsec-l2l
tunnel-group 11.11.11.11 ipsec-attributes
 pre-shared-key *****

Here's the output of "sh crypto isakmp sa" - only the Site1 tunnel is showing:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 11.11.11.11
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

Any questions or clarifications needed, please ask!
Comment
Watch Question
CERTIFIED EXPERT
Commented:
This problem has been solved!
Unlock 1 Answer and 11 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE