cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1420
Views
0
Helpful
2
Replies

Easy VPN between ASA 5520 and C857

alexnsw_200sx
Level 1
Level 1

Hi,

I'm trying to setup an easy VPN between Cisco ASA 5520 8.0(3)6 and Cisco 857 Router 12.4(15)T7 C850-ADVSECURITYK9-M.

Firewall has permanent public IP configuration and it acts as easy vpn server and router doesn't have permanent public IP assigned and it acts as easy vpn client.

I've attached configurations of both server (ASA5520) and client (c857)

When I do sh cry ipsec client ezvpn on the router

I get this:

Easy VPN Remote Phase: 6

Tunnel name : ASA

Inside interface list: Vlan1

Outside interface: Dialer0

Current State: SS_OPEN

Last Event: SOCKET_READY

DNS Primary: 211.29.132.12

DNS Secondary: 10.46.2.202

Save Password: Allowed

when I do sh crypto isakmp sa on firewall I get the following:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: xxx.xx.xxx.xx

Type : user Role : responder

Rekey : no State : AM_TM_INIT_MODECFG_V6H

when I do sh crypto isakmp sa on the router I get the following:

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

xxx.xxx.xx.x yyy.yy.yyy.yy QM_IDLE 2038 0 ACTIVE

xxx.xxx.xx.x yyy.yy.yyy.yy MM_NO_STATE 2037 0 ACTIVE (deleted)

xxx.xxx.xx.x yyy.yy.yyy.yy MM_NO_STATE 2036 0 ACTIVE (deleted)

xxx.xxx.xx.x yyy.yy.yyy.yy MM_NO_STATE 2035 0 ACTIVE (deleted)

I'm stuck at this point.

Your help is much appreciated.

2 Replies 2

Not applicable

You may try adding the command "set isakmp-profile profile-name". This command describes the ISAKMP profile to use when you start the Internet Key Exchange (IKE) exchange. Before configuring an ISAKMP profile on a crypto map, you should set up the ISAKMP profile.

Hi,

I think the router (client) is having trouble accepting config from the ASA (server).

I've attached log from the router (client).

And here is the log from ASA:

Jul 30 09:13:56 [IKEv1]: Group = EZVPN-NZ, Username = vpnuser, IP = yyy.yy.yyy.yy, Removing peer from peer table failed, no match!

Jul 30 09:13:56 [IKEv1]: Group = EZVPN-NZ, Username = vpnuser, IP = yyy.yy.yyy.yy, Error: Unable to remove PeerTblEntry

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: