Cisco IPSec Tunnel Has Two Peers in One Sequence Number - why?

amigan_99
amigan_99 used Ask the Experts™
on
In an ISR at a client, they have a Cisco ISR with a VPN tunnel to a business partner. What I'm wondering is why they might have two peers
in sequence number 10 and one peer (which also appears in sequence 10) in the second sequence number. The original setter upper is
long gone. Is SEQ 10 saying try to connect to 169.45.97.62 but if you can't, connect to 169.45.95.222? If that's the case, why would there
be a need for a SEQ 20 which then again references 169.45.97.62? Any thoughts on what the original intent was are appreciated. I would
think you'd just want one peer in sequence 10 and then one peer in sequence 20. ?

crypto map ACMEDYNO 10 ipsec-isakmp
 set peer 169.45.97.62
 set peer 169.45.95.222
 set transform-set ACMEDYNO
 set pfs group2
 match address CRYPTO-ACMEDYNO-LA
crypto map ACMEDYNO 20 ipsec-isakmp
 set peer 169.45.107.62
 set transform-set ACMEDYNO
 set pfs group2
 match address CRYPTO-ACMEDYNO-DL
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Technical Consultant
Commented:
Thats not usual :) you will probably see both those peer IPs have the same shared secret in the config.

It probably means one of two things,

1. The other end has changed their IP and nobody removed the old one.
2. The other end has ISP failover and ISAKMP traffic can come from, or be send to, either of these peer ip addresses.

Regards,


Pete
amigan_99Network Engineer

Author

Commented:
Thanks much Pete.
Pete LongTechnical Consultant

Commented:
Not a problem :) ThanQ

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial