Site-to-Site VPN not working

Unanswered Question
Jun 30th, 2009
User Badges:

Hello


At our main office we have a ASA 5520 device that we cannect to 3 or 4 other mini branches with a ASA 5505 at the other end.


This works well, but we need to add another mini branch. The site has a ISP router setup with a public ip. We plugged in the new ASA 5505 into this router and configured it. We have also setup (again correctly we think) the main ASA with a site-to-site vpn to this new remot site. However we just don't seam to be able to get the devices to talk to each other. We just don't seam to see the remote ASA connecting to the main ASA and we don't seam to see any messages on the remote ASA saying it is trying to connect to the main ASA.


We can putty on the remote ASA using its public IP from our main site so it does seam to be connecting to the internet.


Anyone any ideas, what we haev done wrong or what we can check.


Attached is a copy our config with the IPs removed...


Many thanks



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Todd Pula Tue, 06/30/2009 - 12:07
User Badges:
  • Silver, 250 points or more

Assuming that the peer IP in your crypto map is accurate, I would first validate the status of VLAN1? Do you have any other active devices patched into the ASA5505's e0/1-e0/7 ports or is only the outside interface attached? If there is a possibility that the hub will initiate the tunnel to the spoke, you will want to either configure "sysopt connection permit-vpn" or explicitly permit the IPSec protocols in your ingress ACL. I don't see PAT configured on this ASA. If you configure for PAT, you will want to be sure that you exempt the interesting traffic from the NAT process.

asmith1972 Wed, 07/01/2009 - 02:17
User Badges:

Many thanks - could you let me know how I would check that the peer IP in your crypto map is accurate?


We basically copied the config from a exsisting remote ASA config changed the IP info and loaded it onto the new ASA

xcz504d1114 Wed, 07/01/2009 - 08:51
User Badges:
  • Bronze, 100 points or more

In your "show run", probably 2 or 3 pages into it, you will start seeing lines that begin with "crypto map". In fact if you use "show run | include crypto map" it will give you only the output that contains those lines.


What you are looking for is something like this:

crypto map outside_map 80 set peer 10.5.16.128


The word "outside_map" refers to the crypto map's name that I used, "80" is the number I used to associate other commands with this peer, "set peer 10.5.16.128" is the IP address of my remote site's ASA.


Looking at your configuration, the exact line you are looking to verify is

"crypto map outside_map 20 set peer Main-ASA-IP"



Verify that your set peer ip address is the correct one on both ends.


Also remember that when setting up a site-to-site VPN on an ASA, the tunnel group name has to match the IP address of the "set peer" statement.


At the bottom of your "show run" you should see the tunnel-group configuration, typically it's just a few lines, the name of the tunnel (in this case the IP address of the remote client) and the pre-shared key.


I also see that you have NAT-T disabled, if you are behind any type of NAT on either side, you need to enable this otherwise your tunnel will not stay up.


These 2 lines

"no crypto isakmp nat-traversal"

"crypto map outside_map 20 set nat-t-disable"


HTH,

Craig

Actions

This Discussion