ISAKMP and IPSEc on ASA5510 ver 7.2(1)

Unanswered Question
Jul 17th, 2007

Please help.

When I do a 'show crypto isakmp sa' on asa5510 ver 7.2(1) for a L2L ipsec tunnel, this is the message it gives me. Pls explain what it means.

I have also attached the debug messages, please expalin what that means.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
nchandy Wed, 07/18/2007 - 11:55


The sh cry isa sa output with MM_ACTIVE indicates that the main mode is in active state i.e phase 1 is up.

The debugs are indicating that it failing at Quick Mode (QM) or phase2. You would need to get the isa as well as ipsec debugs on both ends to find why it is failing at phase 2.


nchandy Thu, 07/19/2007 - 12:58


Looks like the debug was taken from the buffer and hence incomplete and not really helpful. Is it possible to capture the debugs on the console or monitor session and log the entire debugs , right from the time, the tunnel is starting to come up.


bericaleb Thu, 07/19/2007 - 15:09

if I accessing the ASA from remote telnet rather than directly connected to the Console how can I capture debugs from a session monitor? How do I do a monitor session?

bericaleb Wed, 07/18/2007 - 20:52

please explain the debug information I attached. This from the asa5510 ver 7.2(1)

I need help urgently, pls.

kberglun Thu, 07/19/2007 - 14:42

This is a long shoot since the debugs are incomplete. Check whether both side are setup to do PFS (Perfect forward secrecy). You will find it under the crypto map statements on the ASA.

kberglun Thu, 07/19/2007 - 16:12

Get the complete debugs, since we don't have the configurations set the level of debugs to 255.

bericaleb Mon, 07/23/2007 - 18:33


I set the level of debugs on the asa to 255 for cryto ipsakmp & crypto ipsec.


This Discussion