cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
604
Views
0
Helpful
9
Replies

L2L VPN not initiating

mvsheik123
Level 7
Level 7

Hi All,

We have a production site with ASA5520 which has L2L tunnel to another site which has been up/stable and working fine. Iam trying to bring up a new site having another ASA5520 with IOS 7.0(7) and tunnel is not initiating at all. The internet access is fine. please find the attached SiteA(new site) config and prod site confign existing config with additional configs i tried to bring up the Tunnel. Please suggest where the issue is.

Thank you in advance

MS

9 Replies 9

acomiskey
Level 10
Level 10

The tunnel group and peer on PROD for the new vpn should be the ip address of SiteA ASA.

you have

crypto map Outside_map 40 set peer 9.12.12.8

tunnel-group 9.12.12.8 type ipsec-l2l

it should be....

crypto map Outside_map 40 set peer 8.14.88.82

tunnel-group 8.14.88.82 type ipsec-l2l

Apologies.. that was my typo while changing IPs to post in the forum.

PROD asa got the corect IPs for the newsite at both places. (set peer & tunnel-group)

Also, sysop (permit ip-sec on one end permit-ipsec) on other end is enabled already.

Please find the correct attachemnts (with IP matched)

have you tryed do

###

no crypto map Outside_map interface Outside

crypto map Outside_map interface Outside

###

?

a.alekseev
Level 7
Level 7

sysopt connnection permit-vpn

it should be on both sides.

On PROD try do the following

###

no crypto map Outside_map interface Outside

crypto map Outside_map interface Outside

###

sysopt connnection permit-vpn : based on IOS. Not every IOS on ASA supports the same command.

Did the no/crypto with No luck.

Thank you

MS

could you show the debugs?

debug crypto isakmp 10

debug crypto ipsec 10

Thank you all for your suggestions. I found the issue. There is a seperate 'ISAKMP POLICY 10' existing on the PROD ASA which is taking over than 40. Tunnel came up with no issues, once that is corrected.

Thank you once again for the suggestions.

MS

congratulations :)

But strange, because you had identical isakmp policy.

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 5

isakmp policy 40 lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 5

lifetime 86400

Thats one thing which I did not get. Even though I have identical policies, how come the other policy (even thou policy # is less) is taking over. So PROD asa:

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 5

lifetime 86400

Any clarification is appreciated..

Thank you

MS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: