IPSec tunnel not coming up between two ASA-5540s.

Answered Question
Jan 24th, 2008
User Badges:

I've included the appropriate config lines of two ASA-5540s that I'm trying to get a lan-2-lan tunnel up between. The first few lines show the log messages that are generated when I try to ping from either host on either side.


Am I missing something that will keep the tunnel from coming up?



4 IP = 10.10..1.147, Error: Unable to remove PeerTblEntry

3 IP = 10.10..1.147, Removing peer from peer table failed, no match!

6 IP = 10.10..1.147, P1 Retransmit msg dispatched to MM FSM

5 IP = 10.10..1.147, Duplicate Phase 1 packet detected. Retransmitting last packet.

6 IP = 10.10..1.147, P1 Retransmit msg dispatched to MM FSM

5 IP = 10.10..1.147, Duplicate Phase 1 packet detected. Retransmitting last packet.

4 IP = 10.10..1.147, Error: Unable to remove PeerTblEntry

3 IP = 10.10..1.147, Removing peer from peer table failed, no match!

6 IP = 10.10..1.147, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

6 IP = 10.10..1.147, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

6 IP = 10.10..1.147, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

5 IP = 10.10..1.147, IKE Initiator: New Phase 1, Intf inside, IKE Peer 10.10..1.147 local Proxy Address 10.10..1.135, remote Proxy Address 10.10..1.155, Crypto map (outside_map0)



ROC-ASA5540-A# sh run

!

ASA Version 8.0(3)

!

hostname ROC-ASA5540-A

names


name 10.10..1.135 GHC_Laptop description For VPN testing

name 10.10..1.155 SunMed_pc description For VPN testing

!

interface GigabitEthernet0/0

speed 100

duplex full

nameif inside

security-level 100

ip address 10.10..1.129 255.255.255.240

!

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address 10.10..1.145 255.255.255.248

!

!

access-list outside_2_cryptomap extended permit ip host GHC_Laptop host SunMed_pc

!

asdm image disk0:/asdm-603.bin

!

route outside 10.10..1.152 255.255.255.248 10.10..1.147 1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map0 2 match address outside_2_cryptomap

crypto map outside_map0 2 set peer 10.10..1.147

crypto map outside_map0 2 set transform-set ESP-3DES-SHA

crypto map outside_map0 2 set nat-t-disable

crypto map outside_map0 interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

group-policy Lan-2-Lan_only internal

group-policy Lan-2-Lan_only attributes

vpn-filter none

vpn-tunnel-protocol IPSec

tunnel-group 10.10..1.147 type ipsec-l2l

tunnel-group 10.10..1.147 ipsec-attributes

pre-shared-key *

!

ROC-ASA5540-A#

----------------------------------------------------------


ROC-ASA5540-B# sh run

: Saved

:

ASA Version 8.0(3)

!

hostname ROC-ASA5540-B

!

names

name 10.10..1.135 GHC_laptop

name 10.10..1.155 SunMed_PC

!

interface GigabitEthernet0/0

speed 100

duplex full

nameif inside

security-level 100

ip address 10.10..1.153 255.255.255.248

!

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address 10.10..1.147 255.255.255.248

!

access-list outside_cryptomap extended permit ip host SunMed_PC host GHC_laptop

!

asdm image disk0:/asdm-603.bin

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map2 1 match address outside_cryptomap

crypto map outside_map2 1 set peer 10.10..1.145

crypto map outside_map2 1 set transform-set ESP-3DES-SHA

crypto map outside_map2 1 set nat-t-disable

crypto map outside_map2 interface outside

crypto isakmp enable inside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

group-policy Lan-2-Lan internal

group-policy Lan-2-Lan attributes

vpn-tunnel-protocol IPSec

tunnel-group 10.10..1.145 type ipsec-l2l

tunnel-group 10.10..1.145 ipsec-attributes

pre-shared-key *

!

ROC-ASA5540-B#

Correct Answer by ajagadee about 9 years 4 months ago

On the ROC-ASA5540-B ASA, you have "isakmp enable inside", this should be "isakmp enable outside".


Please reconfigure the ASA and let me know how it goes.


Regards,

Arul


** Please rate helpful posts **

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
ajagadee Thu, 01/24/2008 - 12:12
User Badges:
  • Cisco Employee,

On the ROC-ASA5540-B ASA, you have "isakmp enable inside", this should be "isakmp enable outside".


Please reconfigure the ASA and let me know how it goes.


Regards,

Arul


** Please rate helpful posts **

Actions

This Discussion