Do I have to admit that I am an idiot on the OSL?? You are right Kingsley, I assigned this IP address on my switchport 2 months ago and forgot......... therefore the conflict. 4 hours of %$*%$# around.
Thanks for your help. From: Kingsley Charles [mailto:[email protected]] Sent: Wednesday, September 09, 2009 8:54 PM To: Michael Davis Cc: [email protected] Subject: Re: [OSL | CCIE_Security] VPN Load balancing on ASA 5510 Hi Michael I think, there is IP duplication/conflict of 203.206.229.44. Status: enabled Role: Backup Failover: n/a Encryption: disabled Cluster IP: 203.206.229.44 Peers: 1 Load (%) Sessions Public IP Role Pri Model IPSec SSL IPSec SSL ------------------------------------------------------------------------ --- * 203.206.229.42 Backup 10 ASA-5510 0 0 0 0 203.206.229.44 Master 0 UNKNOWN n/a n/a n/a n/a This highlighted value should be as 203.206.229.43 Master 1 ASA-5510 n/a n/a n/a n/a 203.206.229.44 has GRAT-ARP which means duplication. I think 203.206.229.44 is being used at two places. Please check to which device the mac-address 001c.585a.d141belongs to. With regards Kings On Wed, Sep 9, 2009 at 3:45 PM, Michael Davis <[email protected]> wrote: Hello Everyone - I am going crazy. I have 2 ASA 5510's with sec+ and have working remote access VPN configurations on them. Both ASA outside interfaces reside in the same subnet and share the same default route and both inside interfaces are in the same subnet also. I have set the private and public interfaces correctly and I have gone over the docs and it all looks normal. Can anyone see what I am missing? It seems so simple. Here is my config: ASA1: outside ip 203.206.229.42/29 inside ip 192.168.1.200 vpn load-balancing priority 10 cluster ip address 203.206.229.44 cluster port 4000 participate ASA2: outside ip 203.206.229.43/29 inside ip 192.168.1.201 vpn load-balancing priority 1 cluster ip address 203.206.229.44 cluster port 4000 participate Here is the output of show vpn load-balancing on ASA1 Status: enabled Role: Backup Failover: n/a Encryption: disabled Cluster IP: 203.206.229.44 Peers: 1 Load (%) Sessions Public IP Role Pri Model IPSec SSL IPSec SSL ------------------------------------------------------------------------ --- * 203.206.229.42 Backup 10 ASA-5510 0 0 0 0 203.206.229.44 Master 0 UNKNOWN n/a n/a n/a n/a Here is my debug: debug vpnlb 200 Master peer[203.206.229.44] is not answering HELLO 5718056: Deleted Master peer, IP 203.206.229.44 5718044: Deleted peer[203.206.229.44] 5718072: Becoming master of Load Balancing in context 0. 5718052: Received GRAT-ARP from duplicate master[001c585ad141] 5718054: Detected duplicate master[3030.3163.3538] and going to SLAVE 5718088: Possible VPN LB misconfiguration. Offending device MAC [001c.585a.d141] . 5718073: Becoming slave of Load Balancing in context 0. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
