Hi all , I have this simple topology :
R1 - ASA1 - R2 - ASA2 - R4 |
R5
I am making site to site VPN from R4 to ASA1 and R5 to ASA1 which protect the
traffic from lo 0 4.4.4.4 to lo0 on R1 1.1.1.1 and from 5.5.5.5 to 1.1.1.1 too
and enable the both in same crypto map with number 10 and 11 on the ASA1 my
issue is the tow vpn Established and I can ping from R5 with the source
5.5.5.5 to 1.1.1.1 through the tunnel , but when I ping from R4 with source
4.4.4.4 to 1.1.1.1 I see this message on ASA %ASA-3-713042: IKE Initiator
unable to find policy: Intf inside, Src: 1.1.1.1, Dst: 4.4.4.4%ASA-3-713042:
IKE Initiator unable to find policy: Intf inside, Src: 1.1.1.1, Dst:
4.4.4.4%ASA-3-713042: IKE Initiator unable to find policy: Intf inside, Src:
1.1.1.1, Dst: 4.4.4.4%ASA-3-713042: IKE Initiator unable to find policy: Intf
inside, Src: 1.1.1.1, Dst: 4.4.4.4
I have make new loopback on R1 with ip 11.11.11.11 and modify the R4-ASA1
tunnel to protect the traffic between 11.11.11.11 and 4.4.4.4 and it is work
fine
the question is why the traffic not coming back from the tunnel when I have tow
tunnel protecting same IP ?
below is the tow ipsec SA
ASA1# show crypto ipsec sainterface: outside Crypto map tag: VPN_R4, seq
num: 11, local addr: 192.168.1.10
access-list VPN_R4 permit ip host 1.1.1.1 host 4.4.4.4 local ident
(addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0) remote ident
(addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0) current_peer:
10.1.104.4
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 4,
#pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed:
0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.10, remote crypto endpt.: 10.1.104.4
path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound
spi: 511449F9
inbound esp sas: spi: 0x9D888D58 (2642971992) transform:
esp-3des esp-md5-hmac none in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 106496, crypto-map: VPN_R4 sa timing: remaining key
lifetime (kB/sec): (4274999/3078) IV size: 8 bytes replay
detection support: Y outbound esp sas: spi: 0x511449F9 (1360284153)
transform: esp-3des esp-md5-hmac none in use settings ={L2L,
Tunnel, } slot: 0, conn_id: 106496, crypto-map: VPN_R4 sa
timing: remaining key lifetime (kB/sec): (4275000/3078) IV size: 8
bytes replay detection support: Y
Crypto map tag: VPN_R5, seq num: 10, local addr: 192.168.1.10
access-list VPN_R5 permit ip host 1.1.1.1 host 5.5.5.5 local ident
(addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0) remote ident
(addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0) current_peer:
10.1.105.5
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps: 9,
#pkts decrypt: 9, #pkts verify: 9 #pkts compressed: 0, #pkts decompressed:
0 #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.10, remote crypto endpt.: 10.1.105.5
path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound
spi: 252CA7CC
inbound esp sas: spi: 0x60F15CBA (1626430650) transform:
esp-3des esp-md5-hmac none in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 98304, crypto-map: VPN_R5 sa timing: remaining key
lifetime (kB/sec): (4274999/2871) IV size: 8 bytes replay
detection support: Y outbound esp sas: spi: 0x252CA7CC (623683532)
transform: esp-3des esp-md5-hmac none in use settings ={L2L, Tunnel,
} slot: 0, conn_id: 98304, crypto-map: VPN_R5 sa timing:
remaining key lifetime (kB/sec): (4274999/2871) IV size: 8 bytes
replay detection support: Y
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
