Recently I have created an hairpin VPN using a ASA 5510 (8.0(4)28) as a hub and Cisco 877 (12.4(4)T8) as the spokes.
This works fine, but only if I "start" the connection manually. For example:
- When I ping from spoke 1 to spoke 2 I don't receive a response;
- When I immedialtely ping from spoke 2 to spoke 1 I do receive a response;
- If I return to spoke 1, suddenly I can ping spoke 2.
The server situated in spoke 2 has an interval to poll devices in spoke 1, so after a while tehre is no connectivity. At least not until I start it again.
I already have configured keepalives on the ASA and the routers, but to no avail.
Can someone please shed some light on this situation? I added the appropriate parts of the config below.
192.168.1.0 is the hub site. All other ranges are spokes.Thanks.
Ikke
ASA config
access-list 118 extended permit ip 192.168.1.0 255.255.255.0
192.168.118.0 255.255.255.0 access-list 118 extended permit ip 192.168.119.0 255.255.255.0 192.168.118.0 255.255.255.0 access-list 119 extended permit ip 192.168.1.0 255.255.255.0 192.168.119.0 255.255.255.0 access-list 119 extended permit ip 192.168.118.0 255.255.255.0 192.168.119.0 255.255.255.0crypto ipsec transform-set Secure esp-aes-256 esp-sha-hmac crypto ipsec security-association lifetime seconds 3600 crypto ipsec security-association lifetime kilobytes 4608000
crypto map Torens 118 match address 118 crypto map Torens 118 set peer xx.yy.zz.161 crypto map Torens 118 set transform-set Secure crypto map Torens 119 match address 119 crypto map Torens 119 set peer xx.yy.zz.241 crypto map Torens 119 set transform-set Secure
crypto isakmp identity address crypto isakmp enable Internet crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 21600
tunnel-group xx.yy.zz.161 type ipsec-l2l tunnel-group xx.yy.zz.161 ipsec-attributes pre-shared-key * isakmp keepalive threshold 15 retry 10
tunnel-group xx.yy.zz.241 type ipsec-l2l tunnel-group xx.yy.zz.241 ipsec-attributes pre-shared-key * isakmp keepalive threshold 15 retry 10
Cisco 877
crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key aabbccdd address xx.yy.zz.65 crypto isakmp nat keepalive 20
access-list 100 permit ip 192.168.118.0 0.0.0.63 192.168.1.0 0.0.0.255 access-list 100 permit ip 192.168.118.0 0.0.0.63 192.168.119.0
0.0.0.255crypto ipsec transform-set Secure esp-aes 256 esp-sha-hmac ! crypto map VPN 10 ipsec-isakmp set peer xx.yy.zz.65 set transform-set Secure match address 100
interface Dialer0 crypto map VPN