L2L VPN not initiating

Unanswered Question
Jul 3rd, 2008
User Badges:
  • Gold, 750 points or more

Hi All,


We have a production site with ASA5520 which has L2L tunnel to another site which has been up/stable and working fine. Iam trying to bring up a new site having another ASA5520 with IOS 7.0(7) and tunnel is not initiating at all. The internet access is fine. please find the attached SiteA(new site) config and prod site confign existing config with additional configs i tried to bring up the Tunnel. Please suggest where the issue is.


Thank you in advance

MS




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 07/03/2008 - 12:02
User Badges:
  • Green, 3000 points or more

The tunnel group and peer on PROD for the new vpn should be the ip address of SiteA ASA.


you have


crypto map Outside_map 40 set peer 9.12.12.8

tunnel-group 9.12.12.8 type ipsec-l2l


it should be....


crypto map Outside_map 40 set peer 8.14.88.82

tunnel-group 8.14.88.82 type ipsec-l2l

mvsheik123 Thu, 07/03/2008 - 12:50
User Badges:
  • Gold, 750 points or more

Apologies.. that was my typo while changing IPs to post in the forum.

PROD asa got the corect IPs for the newsite at both places. (set peer & tunnel-group)


Also, sysop (permit ip-sec on one end permit-ipsec) on other end is enabled already.

Please find the correct attachemnts (with IP matched)




Attachment: 
a.alekseev Thu, 07/03/2008 - 13:20
User Badges:
  • Gold, 750 points or more

have you tryed do

###

no crypto map Outside_map interface Outside

crypto map Outside_map interface Outside

###


?

a.alekseev Thu, 07/03/2008 - 12:07
User Badges:
  • Gold, 750 points or more

sysopt connnection permit-vpn

it should be on both sides.


On PROD try do the following

###

no crypto map Outside_map interface Outside

crypto map Outside_map interface Outside

###

mvsheik123 Thu, 07/03/2008 - 15:06
User Badges:
  • Gold, 750 points or more

sysopt connnection permit-vpn : based on IOS. Not every IOS on ASA supports the same command.


Did the no/crypto with No luck.


Thank you

MS

a.alekseev Thu, 07/03/2008 - 20:21
User Badges:
  • Gold, 750 points or more

could you show the debugs?


debug crypto isakmp 10

debug crypto ipsec 10

mvsheik123 Fri, 07/04/2008 - 19:26
User Badges:
  • Gold, 750 points or more

Thank you all for your suggestions. I found the issue. There is a seperate 'ISAKMP POLICY 10' existing on the PROD ASA which is taking over than 40. Tunnel came up with no issues, once that is corrected.


Thank you once again for the suggestions.


MS

a.alekseev Fri, 07/04/2008 - 23:58
User Badges:
  • Gold, 750 points or more

congratulations :)


But strange, because you had identical isakmp policy.

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 5

isakmp policy 40 lifetime 86400



crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 5

lifetime 86400



mvsheik123 Sat, 07/05/2008 - 11:17
User Badges:
  • Gold, 750 points or more

Thats one thing which I did not get. Even though I have identical policies, how come the other policy (even thou policy # is less) is taking over. So PROD asa:


crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 5

lifetime 86400


Any clarification is appreciated..


Thank you

MS

Actions

This Discussion