07-03-2008 11:44 AM
Hi All,
We have a production site with ASA5520 which has L2L tunnel to another site which has been up/stable and working fine. Iam trying to bring up a new site having another ASA5520 with IOS 7.0(7) and tunnel is not initiating at all. The internet access is fine. please find the attached SiteA(new site) config and prod site confign existing config with additional configs i tried to bring up the Tunnel. Please suggest where the issue is.
Thank you in advance
MS
07-03-2008 12:02 PM
The tunnel group and peer on PROD for the new vpn should be the ip address of SiteA ASA.
you have
crypto map Outside_map 40 set peer 9.12.12.8
tunnel-group 9.12.12.8 type ipsec-l2l
it should be....
crypto map Outside_map 40 set peer 8.14.88.82
tunnel-group 8.14.88.82 type ipsec-l2l
07-03-2008 12:50 PM
Apologies.. that was my typo while changing IPs to post in the forum.
PROD asa got the corect IPs for the newsite at both places. (set peer & tunnel-group)
Also, sysop (permit ip-sec on one end permit-ipsec) on other end is enabled already.
Please find the correct attachemnts (with IP matched)
07-03-2008 01:20 PM
have you tryed do
###
no crypto map Outside_map interface Outside
crypto map Outside_map interface Outside
###
?
07-03-2008 12:07 PM
sysopt connnection permit-vpn
it should be on both sides.
On PROD try do the following
###
no crypto map Outside_map interface Outside
crypto map Outside_map interface Outside
###
07-03-2008 03:06 PM
sysopt connnection permit-vpn : based on IOS. Not every IOS on ASA supports the same command.
Did the no/crypto with No luck.
Thank you
MS
07-03-2008 08:21 PM
could you show the debugs?
debug crypto isakmp 10
debug crypto ipsec 10
07-04-2008 07:26 PM
Thank you all for your suggestions. I found the issue. There is a seperate 'ISAKMP POLICY 10' existing on the PROD ASA which is taking over than 40. Tunnel came up with no issues, once that is corrected.
Thank you once again for the suggestions.
MS
07-04-2008 11:58 PM
congratulations :)
But strange, because you had identical isakmp policy.
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 5
isakmp policy 40 lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
07-05-2008 11:17 AM
Thats one thing which I did not get. Even though I have identical policies, how come the other policy (even thou policy # is less) is taking over. So PROD asa:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
Any clarification is appreciated..
Thank you
MS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: