01-24-2008 11:45 AM - edited 02-21-2020 03:30 PM
I've included the appropriate config lines of two ASA-5540s that I'm trying to get a lan-2-lan tunnel up between. The first few lines show the log messages that are generated when I try to ping from either host on either side.
Am I missing something that will keep the tunnel from coming up?
4 IP = 10.10..1.147, Error: Unable to remove PeerTblEntry
3 IP = 10.10..1.147, Removing peer from peer table failed, no match!
6 IP = 10.10..1.147, P1 Retransmit msg dispatched to MM FSM
5 IP = 10.10..1.147, Duplicate Phase 1 packet detected. Retransmitting last packet.
6 IP = 10.10..1.147, P1 Retransmit msg dispatched to MM FSM
5 IP = 10.10..1.147, Duplicate Phase 1 packet detected. Retransmitting last packet.
4 IP = 10.10..1.147, Error: Unable to remove PeerTblEntry
3 IP = 10.10..1.147, Removing peer from peer table failed, no match!
6 IP = 10.10..1.147, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6 IP = 10.10..1.147, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6 IP = 10.10..1.147, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
5 IP = 10.10..1.147, IKE Initiator: New Phase 1, Intf inside, IKE Peer 10.10..1.147 local Proxy Address 10.10..1.135, remote Proxy Address 10.10..1.155, Crypto map (outside_map0)
ROC-ASA5540-A# sh run
!
ASA Version 8.0(3)
!
hostname ROC-ASA5540-A
names
name 10.10..1.135 GHC_Laptop description For VPN testing
name 10.10..1.155 SunMed_pc description For VPN testing
!
interface GigabitEthernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 10.10..1.129 255.255.255.240
!
interface GigabitEthernet0/3
nameif outside
security-level 0
ip address 10.10..1.145 255.255.255.248
!
!
access-list outside_2_cryptomap extended permit ip host GHC_Laptop host SunMed_pc
!
asdm image disk0:/asdm-603.bin
!
route outside 10.10..1.152 255.255.255.248 10.10..1.147 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map0 2 match address outside_2_cryptomap
crypto map outside_map0 2 set peer 10.10..1.147
crypto map outside_map0 2 set transform-set ESP-3DES-SHA
crypto map outside_map0 2 set nat-t-disable
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
group-policy Lan-2-Lan_only internal
group-policy Lan-2-Lan_only attributes
vpn-filter none
vpn-tunnel-protocol IPSec
tunnel-group 10.10..1.147 type ipsec-l2l
tunnel-group 10.10..1.147 ipsec-attributes
pre-shared-key *
!
ROC-ASA5540-A#
----------------------------------------------------------
ROC-ASA5540-B# sh run
: Saved
:
ASA Version 8.0(3)
!
hostname ROC-ASA5540-B
!
names
name 10.10..1.135 GHC_laptop
name 10.10..1.155 SunMed_PC
!
interface GigabitEthernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 10.10..1.153 255.255.255.248
!
interface GigabitEthernet0/3
nameif outside
security-level 0
ip address 10.10..1.147 255.255.255.248
!
access-list outside_cryptomap extended permit ip host SunMed_PC host GHC_laptop
!
asdm image disk0:/asdm-603.bin
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map2 1 match address outside_cryptomap
crypto map outside_map2 1 set peer 10.10..1.145
crypto map outside_map2 1 set transform-set ESP-3DES-SHA
crypto map outside_map2 1 set nat-t-disable
crypto map outside_map2 interface outside
crypto isakmp enable inside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
group-policy Lan-2-Lan internal
group-policy Lan-2-Lan attributes
vpn-tunnel-protocol IPSec
tunnel-group 10.10..1.145 type ipsec-l2l
tunnel-group 10.10..1.145 ipsec-attributes
pre-shared-key *
!
ROC-ASA5540-B#
Solved! Go to Solution.
01-24-2008 12:12 PM
On the ROC-ASA5540-B ASA, you have "isakmp enable inside", this should be "isakmp enable outside".
Please reconfigure the ASA and let me know how it goes.
Regards,
Arul
** Please rate helpful posts **
01-24-2008 12:12 PM
On the ROC-ASA5540-B ASA, you have "isakmp enable inside", this should be "isakmp enable outside".
Please reconfigure the ASA and let me know how it goes.
Regards,
Arul
** Please rate helpful posts **
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: