[c-nsp] ra-vpn and ipsec oddity
ryanL
ryan.landry at gmail.com
Wed Nov 5 12:18:21 EST 2014
hi folks,
i have two offices (sf and nyc) connected together via ipsec on cisco asa.
super simple. works fine.
on the nyc firewall, i also have allowed remote-access vpn to corp
resources from outside, also of the ipsec variety (think native mac osx
cisco vpn client). also super simple. works fine.
however, when i'm behind the sf firewall and i try to ra-vpn to the nyc
firewall, the original ipsec connection between the offices drops. the nyc
firewall logs a duplicate ipsec packet, and essentially becomes wedged
until i clear conn and clear xlate. only then will the original ipsec
tunnel come up (probably bug in 8.4.3?).
it would seem to me an easy fix would be to nat my sf clients from a
different source ip than the lan-to-lan source ip, but i'm curious if
there's a way to avoid that.
appreciate any help!
ryan
More information about the cisco-nsp
mailing list