KB ID 0001316 Dtd 02/06/17
This week I had a client who had a head office and three satellite sites. They had old firewalls (a 5510 and 5505’s), and my firm had installed FTTC circuits, into the sites for them. My job was to reconfigure the firewalls and the site to site VPN tunnels (each site had a tunnel to the other sites), then disconnect their old ADSL connections, change the firewalls public IP, then connect to the shiny new FTTC circuits.
To save on downtime, my plan was to create new tunnel-groups for all the new IP addresses with the same shared-secrets, then add the new IPs as an alternative crpytomap peers. That way I could migrate all the sites and , the only downtime would be when I changed the firewall to the new IP and plugged into the new router, cool eh?
All was going well until I hit the third satellite site and tried to add a second VPN peer like so…
It returned this error;
ERROR: Multiple Peers can be specified only with originate-only connections
None of the other sites had done this, and I’ve done redundant VPN configs many times, (see the failover ISP article at the bottom of the page.) Never had I seen this error?
I made the ‘mistake‘ of adding;
A few minutes later I got an email “That sites VPNs have all gone down?”. On investigation the remote site thought the tunnel was up, (it was even encrypting and decrypting layer two traffic?) The main site didn’t even say phase one was attempting. I changed all the crypto maps back to a single peer IP and removed the ‘connection-type originate-only’ from all the crypto entries as well, everything started working again?
I found a bug report for something similar (CSCsd21514) but that affected version 7, I did a show version on the firewall it was running 7.2 (eeurgh.) I updated it to 8.3, (yes I could go to 9 but lets not tempt fate). Problem disappeared, it accepted the redundant VPN config and everything worked, (I flipped the circuit on this problem firewall this morning and downtime was less than 10 seconds).