Site of initiation of tunnel site

Is there any way to start phase 2 without sending the data from the workstation inside.

Once the tunnels are rising, they are good to go unless they drop for some unforeseen reason, or if the SA is reset. The problem is that it is not much sourcing of traffic to the remote site to bring the tunnel back up if the drop however, the hub site must be able to reach and touch the remote sites.

Remotes sites are configured with a static cryto card defined in orginate only and has two defined counterparts. The hub site uses a dynamic encryption card.

Thanks for the tips.

A way around this is to have a machine on the remote end or the remote pix itself uses a server local syslog, server etc. This traffic would be near the top of the tunnel without user intervention.

Tags: Cisco Security

Similar Questions

  • Cisco router 892 IPSec initiator?

    Hi all!

    I have the IPSec tunnel between Cisco router 892 (c890-universalk9 - mz.154 - 3.M4.bin) and Cisco PIX 515E (ver. 8.0 (4) 28) with 5 subnets behind PIX.

    PIX configured to deal with two-way-type of connection, but router support not =)

    So, when I generate intresting hosts behind the router traffic IPSec does not work. When I generate traffic hosts behind PIX , everything works, but I need to be initiator on the side of the router :-(

    Is there a way to make my initiator 892 tunnel Cisco IPSec router to work with Cisco PIX / ASA?

    I'm afraid I should replace the router to another device = (())

    Thank you!

    Hi Yura Kazakevich,

    Try to enable pfs on the router:

    map SDM_CMAP_1 1 ipsec-isakmp crypto

    Set of pfs

    Hope this info helps!

    Note If you help!

    -JP-

  • VPN between 878 router and ASA 5505

    Hello world

    I struggled for a few days now to get a VPN connection works.

    The situation

    Two offices needs to be connected to eachother with a VPN. The two parties have a WAN connection.

    The tunnel between locations rises very well but the communication fails in almost any way.

    The host cannot ping each other and also the inside of the router and ASA pings fail.

    The only ping works is from inside Site2 to the inside interface of the router side 1 (192.168.1.100 to 192.168.0.250)

    NAT works very well on both sites behind the router / asa.

    I think I'm doing something wrong with the roads or access lists but after 7 days, many refills, restores, driving from one end of the State to the other to reset stupid moves break and resolder my cable from the console and things completely with default start for 10 times, I'm through, I honestly don't know where to look for more...

    Tech Specs:

    Site1: has a cable modem that gives a WAN IP with DHCP address

    This modem connects to the Cisco 878 (Fastethernet0) router

    The router acts as a DHCP server and NAT gateway for the office and offers vpn connectivity to the other office

    Site2: has a cable-modem/router (Cisco 3925), which made the NAT, this modem/router gives an IP private class-C (192.168.178.x)

    This modem/router connects to a Cisco ASA 5505 (Fastethernet0)

    The ASA also server as a DHCP server and NAT gateway for the office and offers vpn connectivity to the other office.

    Online, it looks like this:

    Office 1--> Cisco878--> WAN Cloud<---cablemodemrouter><--- asa5505=""><--- office="">

    IP address ranges:

    Office 1

    Network 192.168.0.0

    Subnet mask 255.255.255.0

    Gateway 192.168.0.250

    IP WAN XXXX

    Office 2

    Network 192.168.1.0

    Subnetmak 255.255.255.0

    Gateway 192.168.1.1

    IP WAN XXXX

    On the location of office 2, there is a NAT between ASA and WAN router. between 192.168.178.x 255.255.255.0

    The modemrouter is a Cisco 3925, on which IPSEC passthrough is enabled.

    Configs:

    Site 1:

    CISCO 878 router

    Site 2

    ASA 5505

    I hope someone has a chance to look through my config and tell me what I did wrong this week

    Even if you can not help me but still read here: Thank YOU!

    (As my problem has been resolved, I removed the configs of this post. If for any reason, you want to work for these devices configuration, please send me a PM)

    Post edited by: taaa lijf - reason: problem solved, removed configs and stuff private for obvious reasons ;)

    Hello

    Ping client customer site 1 site2 and make sh crypto isakmp his and sh crypto ipsec his on the router.

    If sh crypto isakmp gives QM_Idle and ping fails and you have no package in the HS cypto ipsec his and then do a debug crypto ipsec

    If sh crypto isakmp gives MM_NoState can do a debug crypto isakmp

    One note however, you should have ip addresses static at least on the side, initiating the tunnel, otherwise it will not work when ip address changes.

    Kind regards.

    Alain.

  • RV042 vpn - stops passing traffic but remains connected

    We have two boxes with a VPN tunnel RV042 connecting.  No problem, initiating the tunnel or passing traffic initially.  However, after "a certain" time (apparently random amounts of time) the VPN stops passing traffic.  Then, someone needs to go in web admin and disconnect/reconnect the VPN how it's ok once again.  What now happens several times a day.  FW ver is 1.3.12.6 on both sides - and addresses static ip from the ISP on both sides as well.  Any ideas on how to solve this problem?

    Thank you
    Drew

    Drew,

    Sorry I don't have a solution for you, but your post almost made me cry. We are experiencing the same problem, but with the VPN gateway to gateway static to the dynamic. I was hoping that the problem should go away if I could make the static dynamic side. It seems now I'm looking for other solutions. I wish you luck and thank you for bringing This gap to my attention.

  • Lost the VPN tunnel between 2 site when internal client using client vpn

    We currently have VPN tunnel connected to the remote desktop using router VPN Hotbrick 2.

    When 1 of the internal computer try to connect to another server VPN customer using Cisco VPN Client v4.8, she will appear in drop/disable/loss of the tunnel between us VPN and remote offices. The tunnel is still established but no traffice between site 2. (cannot all ping)

    What are the causes of the problem? Hotbrik problem? Customer Cisco VPN setting or something else?

    I don't know what causes the problem. Help, please. Thanks in advance.

    Hello

    The problem is that your NAT device will not translating properly, and when the 2nd customer triggers (ISAKMP packets-UDP 500) connections port isn't transalated, so for the SAA is as the first user tries to connect again, then it rejects the initial connection.

    The trick is, as you have discovered, use global UDP.

    The problem is that UDP 10000 is not a standard, so you need to check if multiple users can be connected at the same time behind the same NAT device.

    If this is not the case, use the NAT transparency standard industry (UDP 4500). This should be configured only on the SAA.

    Please rate if this helped.

    Kind regards

    Daniel

  • ASA 5505 and ASA 5510 Site to Site VPN Tunnel cannot be established

    Hi all experts

    We are now plan to form an IPSec VPN tunnel from site to site between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failed, would you please show me how to establish? A reference guide?

    I got error syslog 713902 and 713903, how to fix?

    I got the following, when I type "sh crypto isakmp his."

    Type: user role: initiator

    Generate a new key: no State: MM_WAIT_MSG2

    Hugo

    Hello

    This State is reached when the policies of the phase 1 do not correspond to the two ends.

    Please confirm that you have the same settings of phase 1 on both sides with the following commands:

    See the isakmp crypto race

    See the race ikev1 crypto

    Also make sure that port UDP 500 and 4500 are open for communication between your device and the remote peer.

    Finally, make sure you have a route suitable for the remote VPN endpoint device.

    Hope that helps.

    Kind regards

    Dinesh Moudgil

  • SBS 2008 office1 Serv2008 Office 2 need to share assets between them via a site to site VPN tunnel

    Hi all.

    I really need help on this one.

    The office 1 installer running SBS2008 Office 2 running Server 2008.

    Each firm has its own FQDN Office 1 CompanyABC 2 A_B_C of the company office.

    Each firm has its own internal IP address pool Office 1 192.168.69.xxx and office 192.168.20.xxx 2.

    Site to site VPN tunnel between 2 office routers Netgear SRX5308 1 and 2 Netgear FVS318G Office established and working.

    Each firm has its own DNS server and acts as a domain controller

    How to configure the 2 networks to see each other and be able to use assets on every network (files, printers)?

    Is it so simple that the addition of another pool internal IP for each DNS server?

    Thanks in advance for your help.

    Hello

    Your Question is beyond the scope of this community.

    I suggest that repost you your question in the Forums of SBS.

    https://social.technet.Microsoft.com/forums/en-us/home?Forum=smallbusinessserver

    "Windows Small Business Server 2011 Essentials online help"

    https://msdn.Microsoft.com/en-us/library/home-client.aspx

    TechNet Server forums.

    http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

    See you soon.

  • Tunnel VPN Firewall (both sides of the Site B, same IP series)

    Hi Experts,

    I'm in a weird situation, hope I can get an answer from you guys.

    I had created VPN tunnel to our customer on our firewall 3 years.

    Now we create the VPN tunnel for new customer, but the IP settings to the new customer is the same as the former client. How can we get through this that we can not change the IP settings on both clients.

    Here are the technical details

    Older Client settings:

    (1) our authorized Local LAN IP: 192.168.3.0/24

    (2) customer Local LAN IP authorized: 10.0.0.0/8 (as several range of network to the client end)

    New customer to make settings:

    (1) our authorized Local LAN IP: 192.168.3.0/24

    (2) authorized customer Local LAN IP: 10.10.16.0/24

    10.10.32.0/24

    Please help as well how we can make the settings without making any changes on the client side.

    I am using firewall Watchguard XTM 515

    Thank you best regards &,.

    Mandeep

    This issue is beyond the scope of this site (for consumers) and to be sure, you get the best (and fastest) reply, we have to ask either on Technet (for IT Pro) or MSDN (for developers)
    *

  • I bought a latitude d530 use. It came with Windows 7. Site Web of Dell initially said vista wit came. It is no longer start. Error says check the data cable

    I bought a latitude d530 use. It came with Windows 7. Site Web of Dell initially said vista wit came. It is no longer start. Error says check the data cable. Sometimes, reinstall drive. I do not have the windows CD. Can I download the original Windows on android phone and the transfer

    You can download and create a bootable copy:

    http://answers.Microsoft.com/en-us/Windows/Forum/Windows_7-windows_install?tab=question&status=unanswered

    then

    http://techingiteasy.WordPress.com/2012/04/13/how-to-activate-Windows-7-OEM-license-using-a-retail-disc/

  • Groups of Tunnel by site to site connection VLAN?

    On my ASA, which has been in production for a few years, there is IPEC tunnels sit-to-site Configuration.

    Each client VPN IP of the interface is named, example:

    Name the My_Router 192.168.1.1

    And there is an IPSEC transform set configured for the name.

    What is ' minutes wondering, there are also tunnel groups configured for each connection. The name of certain groups-tunnel is the IP address of the VPN client device. The name of the tunnel is simply a value of text, correct? Is the IP address that is used to name just a value and not anywhere else where the IP address is configured is requested? I need to change the IP address of one of these site-to-site VPNs and I'm worried because I don't know what role the tunnel groups or what is actually look at their requirements as it does not appear that anything else in the config uses tunnel-group name.

    tunnel-group 192.168.1.1 type ipsec-l2l

    IPSec-attributes tunnel-group 192.168.1.1

    pre-shared key xxxxxx

    Thanks for any help in this compensation for me!

    -----------------

    I did some further studies, it seems that all my groups of tunnel are related to my (default) DfltGrpPolicy.

    It seems that the tunnel-groups do not do anything?

    In general, the name of the tunnel-group should be the IP address of the remote peer if you use pre shared key. When an IPSec connection arrives, the ASA uses the IP address to find the good PSK. If the peer changes, you will need to reconfigure the tunnel-group.

    You need not own transform-set for each connection. I only have usually two or three of them called ESP-AES256-SHA ESP-AES128-SHA and ESP-3DES-SHA. Names to describe what is in the set of transformation. They are then applied to all connections.

    Default group policy is fine if you do not have special needs by connections as different VPN-filter.

    Sent by Cisco Support technique iPad App

  • A Site with IPsec without restoring a new tunnel

    Hello, I have a question about IPSec S2S.

    In this topoloy, I would like to that IPSec S2S between 172.21.0.0/24 and 172.22.0.0/24.

    The serial line is the first priority and route on ISP is the second priority for routing.

    The question is how can I create the IPsec Site to Site connection without restore when the routing path changes?

    The AR configuration:

    !
    version 15.1
    no service the timestamps don't log datetime msec
    no service timestamps debug datetime msec
    no password encryption service
    !
    hostname AR
    !
    !
    !
    !
    !
    !
    !
    !
    no ip cef
    No ipv6 cef
    !
    !
    !
    username cisco password 0 BR
    !
    !
    license udi pid CISCO2901/K9 sn FTX1524YO05
    licence start-up module c2900 technology-package securityk9
    !
    !
    !
    crypto ISAKMP policy 10
    BA 3des
    md5 hash
    preshared authentication
    Group 2
    !
    cisco key crypto isakmp 10.0.0.2 address
    address of cisco crypto isakmp 200.200.200.2 keys
    !
    !
    !
    Crypto ipsec transform-set esp-3des esp-sha-hmac TS
    !
    CMAP 10 ipsec-isakmp crypto card
    defined peer 10.0.0.2
    defined by peer 200.200.200.2
    game of transformation-TS
    match the vpn address
    !
    !
    !
    !
    !
    !
    pvst spanning-tree mode
    !
    !
    !
    !
    !
    !
    interface GigabitEthernet0/0
    IP 100.100.100.2 255.255.255.252
    automatic duplex
    automatic speed
    card crypto WCPA
    !
    interface GigabitEthernet0/1
    IP 172.21.0.254 255.255.255.0
    automatic duplex
    automatic speed
    !
    interface Serial0/0/0
    the IP 10.0.0.1 255.255.255.252
    encapsulation ppp
    Chap PPP authentication protocol
    2000000 clock frequency
    card crypto WCPA
    !
    interface Serial0/0/1
    no ip address
    2000000 clock frequency
    Shutdown
    !
    interface Vlan1
    no ip address
    Shutdown
    !
    router ospf 1
    Log-adjacency-changes
    Network 10.0.0.0 0.0.0.3 area 0
    network 172.21.0.0 0.0.0.255 area 0
    !
    router RIP
    version 2
    network 100.0.0.0
    network 172.21.0.0
    No Auto-resume
    !
    IP classless
    !
    IP flow-export version 9
    !
    !
    list of IP - vpn access scope
    IP 172.21.0.0 allow 0.0.0.255 172.22.0.0 0.0.0.255
    !
    !
    !
    !
    !
    Line con 0
    !
    line to 0
    !
    line vty 0 4
    opening of session
    !
    !
    !
    end

    Configuration of BR:

    !
    version 15.1
    no service the timestamps don't log datetime msec
    no service timestamps debug datetime msec
    no password encryption service
    !
    hostname BR
    !
    !
    !
    !
    !
    !
    !
    !
    no ip cef
    No ipv6 cef
    !
    !
    !
    Cisco spends 0 username AR
    !
    !
    license udi pid CISCO2901/K9 sn FTX1524L63A
    licence start-up module c2900 technology-package securityk9
    !
    !
    !
    crypto ISAKMP policy 10
    BA 3des
    md5 hash
    preshared authentication
    Group 2
    !
    cisco key crypto isakmp 10.0.0.1 address
    address of cisco crypto isakmp 100.100.100.2 keys
    !
    !
    !
    Crypto ipsec transform-set esp-3des esp-sha-hmac TS
    !
    CMAP 10 ipsec-isakmp crypto card
    defined peer 10.0.0.1
    defined by peer 100.100.100.2
    game of transformation-TS
    match the vpn address
    !
    !
    !
    !
    !
    !
    pvst spanning-tree mode
    !
    !
    !
    !
    !
    !
    interface GigabitEthernet0/0
    IP 200.200.200.2 255.255.255.252
    automatic duplex
    automatic speed
    card crypto WCPA
    !
    interface GigabitEthernet0/1
    IP 172.22.0.254 255.255.255.0
    automatic duplex
    automatic speed
    !
    interface Serial0/0/0
    the IP 10.0.0.2 255.255.255.252
    encapsulation ppp
    Chap PPP authentication protocol
    card crypto WCPA
    !
    interface Serial0/0/1
    no ip address
    2000000 clock frequency
    Shutdown
    !
    interface Vlan1
    no ip address
    Shutdown
    !
    router ospf 1
    Log-adjacency-changes
    Network 10.0.0.0 0.0.0.3 area 0
    network 172.22.0.0 0.0.0.255 area 0
    !
    router RIP
    version 2
    network 172.22.0.0
    network 200.200.200.0
    No Auto-resume
    !
    IP classless
    !
    IP flow-export version 9
    !
    !
    list of IP - vpn access scope
    IP 172.22.0.0 allow 0.0.0.255 172.21.0.0 0.0.0.255
    !
    !
    !
    !
    !
    Line con 0
    !
    line to 0
    !
    line vty 0 4
    opening of session
    !
    !
    !
    end

    Thank you very much!

    Although you might go this route, I wouldn't.

    I would use VTI (GRE tunnels that run over IPSec) interfaces.  One on the series circuit and the other on the circuit of the ISP.

    You can then either use GRE KeepAlive to detect which tunnels are in place and use static routes or dynamic routing as EIGRP Protocol (put a higher value of the 'bandwidth' with the 'bandwidth' command on the favorite tunnel).

  • ASA Site to not tunnel no transmission of traffic for some subnets after awhile

    Hello

    We have a question really strange tunnel from site to site on several ASAs.

    We organize VPN tunnels between a small site and three largest.

    The den has an ASA 5505, the other three principles are ASA 5510.

    One of the tunnels working for months without problems.

    Each tunnel has several class C network.

    example Site:

    -192.168.50.0/24 (named A1)

    -192.168.51.0/24 (called A2)

    Site b:

    -192.168.60.0/24 (named B1)

    -192.168.61.0/24 (called B2)

    On two faulty tunnels, all is well at the beginning. After a few days (1-14) some networks to cease to work. So I can ping both A1 and A2 B1 network networks, but only from A2 B2 network. Pings from A1 to B2 doesn't expire. The ASA site showed tx = 0 traffic for <=>A1, B2, but progressive count rx traffic. ASA b it shows rx = 0 to B2<=>A1 and tx counties upward.

    This happens unexpected after different periods. Sometimes he hits ASA on site B, where tx = 0, it is sometimes ASA on A site.

    I tried to fix it as a result of orders:

    ISAKMP crypto claire his
    clear crypto ipsec his
    clear xlate

    but nothing has worked. The only solution for now is to restart the ASA where tx County indicates 0. After restarting, everything goes well for a while.

    On one of the affected sites, we have a failover configuration - ASA. A failover of the active device also solves the problem. But if you change your prior back restart the old principal question will return immediately.

    I think that there is no configuration because:

    -All tunnels are configured in the same way, and one of them is running for moths without any problem

    -Tunnels work for all combinations of subnet after a reboot

    -The problem occurs after different and long periods of time. So I think that the period between failures is long to be caused by tunnel a.s.o. timeouts.

    All ASA are running 9.1. (5) 21.

    I updated the firmware of several releases these past few months and had the same problem with any version I tested.

    So I hope that someone else has also had this problem and found a solution.

    Christian Hey!

    Hopefully, solve or find the root cause?

    Thank you

  • Two tunnels from site to site and vpnclient access

    I have 2 remote sites, 1 with a static ip address and 1 with a dynamic ip address, they connect to a central site that has a PIX 501. I could get 2 ipsec tunnels works well for awhile, but my client wants to just now the possibility of having workers use the vpnclient to connect to the PIX as well. The problem I have is after you have added the config of vpngroup my site with the dynamic ip address can no longer connect. I had to use the ip address they have now and install an aditional counterpart in the card crypto, but if this ip address change I have to come in and change the config.

    Here's the relevant info in the config:

    IPSec ip 192.168.100.0 access list allow 255.255.255.0 192.168.150.0 255.255.255.0

    IP 192.168.100.0 allow Access-list sheep 255.255.255.0 192.168.150.0 255.255.255.0

    IP 192.168.100.0 allow Access-list sheep 255.255.255.0 192.168.125.0 255.255.255.0

    IP 192.168.100.0 allow Access-list sheep 255.255.255.0 192.168.101.0 255.255.255.0

    ipsec2 192.168.100.0 ip access list allow 255.255.255.0 192.168.125.0 255.255.255.0

    Permitted connection ipsec sysopt

    Crypto ipsec transform-set esp - esp-md5-hmac oadcset

    Crypto-map dynamic oadcdynmap 30 transform-set oadcset

    oadcmap 21 ipsec-isakmp crypto map

    oadcmap 21 match address ipsec crypto map

    oadcmap 21 crypto map set peer

    card crypto oadcmap 21 transform-set oadcset

    oadcmap 22 ipsec-isakmp crypto map

    card crypto oadcmap 22 correspondence address ipsec2

    crypto oadcmap 22 card set peer

    card crypto oadcmap 22 transform-set oadcset

    map oadcmap 25-isakmp ipsec crypto dynamic oadcdynmap

    oadcmap interface card crypto outside

    ISAKMP allows outside

    ISAKMP key * address netmask 255.255.255.255 No.-xauth-no-config-mode

    ISAKMP key * address netmask 255.255.255.255 No.-xauth-no-config-mode

    ISAKMP identity address

    part of pre authentication ISAKMP policy 21

    encryption of ISAKMP policy 21

    ISAKMP strategy 21 md5 hash

    21 2 ISAKMP policy group

    ISAKMP strategy life 21 28800

    vpngroup address oadcclient pool oadcgroup

    vpngroup dns 192.168.100.3 Server oadcgroup

    vpngroup oadcgroup by default-field clientdomain.com

    vpngroup idle 1800 oadcgroup-time

    vpngroup password oadcgroup *.

    Any help is appreciated,

    Ken

    Permitted connection ipsec sysopt

    Crypto ipsec transform-set esp - esp-md5-hmac oadcset

    Crypto-map dynamic oadcdynmap1 30 set transform-set oadcset

    Dynamic crypto map match 30 oadcdynmap1 address ipsec2

    Crypto-map dynamic oadcdynmap 30 transform-set oadcset

    oadcmap 21 ipsec-isakmp crypto map

    oadcmap 21 match address ipsec crypto map

    oadcmap 21 crypto map set peer

    card crypto oadcmap 21 transform-set oadcset

    oadcmap 22 card crypto ipsec-isakmp dynamic oadcdynmap1

    map oadcmap 25-isakmp ipsec crypto dynamic oadcdynmap

    Try this and see if it helps. I have something similar on a router do not know if the PIX supports. Worth a try if

  • SA520w routing through site-to-site VPN tunnels

    I have several offices that are connected using site-to-site VPN tunnels and all will use the SA520W (firmware 2.1.18). I currently have 3 routers in place, router tunnels created for the router B and c of router. I need assistance with the configuration to allow the guests to router site B get to the router site C. I have attempted to add a static route, but get a destination unreachable host trying to ping. Also, if I connect to the router site has via the Cisco VPN client, I'm not able to get resources on each site, B, or C.

    A - the site 10.10.0.0/24

    Site B - 10.0.0.0/24

    Site of the C - 10.25.0.0/24

    Any help is greatly appreciated.

    So, that's what you have configured correctly?

    RTR_A

    ||

    _____________ || ___________

    ||                                            ||

    RTR_B                                RTR_C

    Since there is no tunnel between B and C there is no way for us past that traffic through RTR_A for two reasons. The most important reason is that subnet 10.25.0.0/24 (rtr_c) is not allowed to pass through the IPSec tunnel (it's okay to IPSec?) of rtr_a ==> rtr_b. You can't just add a statement of road because your addresses are not routable which is the reason why it fails.

    Your only option is to create another tunnel between rtr_b and rtr_c. This may not be the ONLY option, but you should get what you need.

    I hope this helps.

  • ASA between tunnel from site to site

    Hello

    I have a site to tunnel between 2 ASAs. An ASA is behind the University and another in our data center. Unversity offers Internet services and they have the ASA that controls incoming traffic. We used to have problems of tunnel where the stale SAs were inactive and deleted in the center of data due to timeout or other unknown reasons. Subsequently discovered that ASA9.1.5 behind the University had the bug do not remove obsolete entries. After decommissioning of the code to 8.4.6 version we don't see any problems. And not work as usual. Unversity guy said that he added some ACL on the external interface to allow our Datacenter IP to forward VPN traffic.

    https://Quickview.cloudapps.Cisco.com/QuickView/bug/CSCup37416

    My Question even before adding these tunnels ACLs works but was not remove obsolete entries. I think that, after upgrade, it became stable. Unversity guys said after the addition of the ACL, it may have stabilized the question.

    Can anyone can highlight here what's happening?

    Thanks in advance.

    Hi Vishnu,

    Adding the ACL on the external interface doesn't have any report with the entries in table ASP for VPN traffic.

    ASP duplicate entries are caused from crypto ACL and interesting traffic.

    ASP table displayed duplicate entries ASP and traffic hit an entry ASP.
    that is out of date and the traffic on ITS special is blackholed which led to the interruption of the VPN traffic.

    It has no connection with the ACL interface.

    Hope it meets your request.

    Kind regards

    Aditya

    Please evaluate the useful messages.

Maybe you are looking for