L2L VPN not initiating

Unanswered Question
Jul 3rd, 2008

Hi All,

We have a production site with ASA5520 which has L2L tunnel to another site which has been up/stable and working fine. Iam trying to bring up a new site having another ASA5520 with IOS 7.0(7) and tunnel is not initiating at all. The internet access is fine. please find the attached SiteA(new site) config and prod site confign existing config with additional configs i tried to bring up the Tunnel. Please suggest where the issue is.

Thank you in advance

MS

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 07/03/2008 - 12:02

The tunnel group and peer on PROD for the new vpn should be the ip address of SiteA ASA.

you have

crypto map Outside_map 40 set peer 9.12.12.8

tunnel-group 9.12.12.8 type ipsec-l2l

it should be....

crypto map Outside_map 40 set peer 8.14.88.82

tunnel-group 8.14.88.82 type ipsec-l2l

mvsheik123 Thu, 07/03/2008 - 12:50

Apologies.. that was my typo while changing IPs to post in the forum.

PROD asa got the corect IPs for the newsite at both places. (set peer & tunnel-group)

Also, sysop (permit ip-sec on one end permit-ipsec) on other end is enabled already.

Please find the correct attachemnts (with IP matched)

Attachment: 
a.alekseev Thu, 07/03/2008 - 13:20

have you tryed do

###

no crypto map Outside_map interface Outside

crypto map Outside_map interface Outside

###

?

a.alekseev Thu, 07/03/2008 - 12:07

sysopt connnection permit-vpn

it should be on both sides.

On PROD try do the following

###

no crypto map Outside_map interface Outside

crypto map Outside_map interface Outside

###

mvsheik123 Thu, 07/03/2008 - 15:06

sysopt connnection permit-vpn : based on IOS. Not every IOS on ASA supports the same command.

Did the no/crypto with No luck.

Thank you

MS

a.alekseev Thu, 07/03/2008 - 20:21

could you show the debugs?

debug crypto isakmp 10

debug crypto ipsec 10

mvsheik123 Fri, 07/04/2008 - 19:26

Thank you all for your suggestions. I found the issue. There is a seperate 'ISAKMP POLICY 10' existing on the PROD ASA which is taking over than 40. Tunnel came up with no issues, once that is corrected.

Thank you once again for the suggestions.

MS

a.alekseev Fri, 07/04/2008 - 23:58

congratulations :)

But strange, because you had identical isakmp policy.

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 5

isakmp policy 40 lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 5

lifetime 86400

mvsheik123 Sat, 07/05/2008 - 11:17

Thats one thing which I did not get. Even though I have identical policies, how come the other policy (even thou policy # is less) is taking over. So PROD asa:

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 5

lifetime 86400

Any clarification is appreciated..

Thank you

MS

Actions

This Discussion