How can I tell if site-to-site VPN has connected?

Unanswered Question
Apr 7th, 2007

I know this is a stupid question. I've spent a couple of weeks trying to get two ASA 5505 to connect a simple site-to-site VPN, but I just can't get it to work. This is very humbling - I've been a computer programmer and administrator for nearly 30 years, but for some reason I just haven't yet found the key to getting this off the ground.


I'm trying to build a hub/spoke VPN with a main office and four branches. To begin with, I would be happy just to get the main office to connect via site-to-site VPN with one branch.


I've tried the VPN Wizard in ASDM numerous times, I've tweaked using CLI numerous times. I've read the manuals, I've searched countless web sites and forums. Is it supposed to be this hard? How do you tell when you have succeeded? The main screen of ASDM has a section that shows the number of VPN tunnels, and they are always 0.


When you get the config correct, does the VPN just magically appear? Or do you have to reset or "start" it somehow to initiate the connection? What is the typical way people tell whether or not the VPN tunnel has been established? I can't look at the front panel VPN light because I'm configuring both ASAs remotely (at home on the sofa) via ASDM.


Thank you for any insight. THis is making me feel old....very old.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Manjunatha Jayaram Mon, 04/09/2007 - 02:03

You can check the status of the tunnel using

1. show crypto isakmp sa

2. show crypto ipsec sa


Points to check:

1. Check if only 1 map is assigned for the outgoing interface.

2. Check whether the configs at both end are same - authentication, key, hash etc.

3. Check the Access List on both ends.

4. Check whether the peer IP is the Public IP or NAT ip if applicable.

5. Is the interesting traffic defined..


Dynamic maps are needed, if there are any other maps configured on ASA. Also you can check the tunnel, by initiating a ping from one end to the other and then log into ASDM and select "Monitoring", VPN Statistics, Sesssions and then filter by LAN to LAn...


Do try these and reply back...


Manjunatha Jayaram Mon, 04/09/2007 - 02:16

You can check the status of the tunnel using

1. show crypto isakmp sa

2. show crypto ipsec sa


Points to check:

1. Check if only 1 map is assigned for the outgoing interface.

2. Check whether the configs at both end are same - authentication, key, hash etc.

3. Check the Access List on both ends.

4. Check whether the peer IP is the Public IP or NAT ip if applicable.

5. Is the interesting traffic defined..


Dynamic maps are needed, if there are any other maps configured on ASA. Also you can check the tunnel, by initiating a ping from one end to the other and then log into ASDM and select "Monitoring", VPN Statistics, Sesssions and then filter by LAN to LAn...


Do try these and reply back...


kevintubbs Mon, 04/09/2007 - 02:40

Thanks for the response. In the 48 hours or so since I made the initial posting, I managed to get it working. What frustrated me is that there was no one Cisco document that had the complete answer, and some documents had subtle typos. It took many hours of Googling, reading, trying, reading more, etc.


Each document provided a little bit of important information. After meticulous re-checking of every line, every address, I finally got a response to a ping through the tunnel.


I understand that the ASA is a very flexible and powerful device with many options, which makes it impossible to provide sample configs for all scenarios. Still, I think that there are some serious gaps and errors in the documentation. For nearly 30 years, I've been the guy who opens new equipment, reads the manuals, sets up and installs the device and trains users. The ASA was my biggest challenge ever.

Manjunatha Jayaram Mon, 04/09/2007 - 20:22

You are wlcome. Where exactly was the error? Do post on that too so that it will be useful for many. I too had spent a lot of time in getting my site to site vpn to work. Cisco Press Books, Google, Cisco site and numerous forums werein i got bits n pieces of commands and tips to debug the problems. Also the ASDM is a bit buggy i guess. The CLI is much better and stable one to configure any scenario if familiar with the commands. Yes the cisco site documents has typos and also not many scenarios like mine were not covered.

Actions

This Discussion