Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Wed, 06/11/2008 - 19:15


I don't believe the asa or the other end applience will attempt to bring the tunnel up until one side sends interesting traffic, depending on how your tunnel is setup in terms who will be the initiator one side must generate traffic to bring up the tunnel. Have you tried sending pings or whichever tcp traffic you configured in your acls?

If you have sent interesting traffic and no joy I would suggest to troubleshoot fruther with debug crypto isakmp to determin where phase-1 fails.

As double check, make sure both ends coninside and perfectly match/agree on the isakmp policy settings, this is the most common stage where l2l fails at first.



JORGE RODRIGUEZ Thu, 06/12/2008 - 05:52

Hi Jim,

Are you generating the interesting traffic from a valid source, I mean from a source that you have permitted in the acl of this tunnel policy.

Can you post the complete output of debug crypto isakmp to see the flow.

After you get the complete output of above debug also post the output of show crypto isakmp sa.




This Discussion