cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5712
Views
5
Helpful
6
Replies

site-to-site with ASA 5505

sgaw
Level 1
Level 1

Attempting to setup site-to-site IPsec VPN with two ASA 5505s with 8.0(5):

10.1.1.0/24 --> ASA 5505 (atl) --> Internet <-- ASA 5505 (bna) <-- 192.168.22.0/24

"There are no isakmp sas" and "There are no ipsec sas"

configs attached....

Any ideas?

6 Replies 6

Ivan Martinon
Level 7
Level 7

tunnel config is ok, have you tried passing traffic through the tunnel to bring it up? enable the following command on both firewalls:

management-access inside

Then go ahead and do a ping inside 192.168.22.1 from the asa-atl firewall, do you get replies? does the tunnel seem to come up?

Thank you for the response.

I enabled "management-access inside" on both ASAs, and pinged from the atl ASA. No response. No SAs. It's weird.

Ok, turn on the following debug on both boxes and try again, debug crypto isakmp 50

Ping again with ping inside... and see what debug output do you get on both, paste it here please.

I think I forgot to specify the interface with my last ping, and when I specified ping though the inside interface, the tunnel came up.

So what was the key? What did "management-access inside" do?

Thanks for your help.

No Magic there, the only thing we did was to allow the ASA to send pings sourced from it's inside interface which will then match the interesting crypto acl and then bring the tunnel up. Management access command helps for administration fo ASA via an ipsec tunnel for https, telnet ssh and some other features.

As of your tunnel you always need to pass traffic to make the tunnel to be built.

This helped resolving my issue as well and didnt have to call the client to test. Thank you

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: