Let me start by saying... I know these are shit but and have made my life miserable but i'm stuck with them for a few more years... Running 6.2.3.6 on a pair of 2130s.
I have a vendor that requires a site-to-site tunnel (IKEV1) to support our ERP application. They have given me an address block (10.10.10.0/27) to NAT my internal server ips to. The crypto map is (10.10.10.0/27 to their public ip) built and everything appears to be configured correctly.
Yet when they source traffic from their side to mine to the first available ip in the block. It creates a duplicate ipsec sa for that traffic with different in and outbound SPIs. I saw this same issue on our old ASA 5515x's running 9.1.7.
I've done bug searches and found some stuff about show asp drop and vpn-overlap-conflict which looks like it applies to the asa but nothing on the firepower side. When I do show asp drop on them it does show vpn-overlap-conflict and it has incremented since yesterday... 78 to 84 over night. This is currently the only active tunnel on the device.
Anyone got any ideas of what could be going on? Thanks in advance.
No comments:
Post a Comment