Site to Site VPN on ASA 5505

Answered Question
Mar 18th, 2010
User Badges:

Hi


I am trying to set up a Site to Site VPN tunnel between Site A and Site B.


I ran through the VPN wizard on both sides but the tunnel isnt active.


Site B already has one VPN to an IP of 62.77.xx.xx and I need to change this to a new IP.


I will attach both configs,hopefully somebody will spot what I have done wrong.


Thanks

Attachment: 
Correct Answer by Federico Coto F... about 7 years 2 months ago

You can include the command (or from ADSM):


management-access inside


This will allow you to test the VPN tunnel intiating traffic from one side inside IP to the other site inside IP. (In other words, you don't need access to any device on the inside network, just try to initiate the tunnel from the ASA itself).


For example from Site A:


management access-inside

ping inside x.x.x.x    -->    x.x.x.x is the IP of Site's B inside IP


Site B:


management access inside

ping inside y.y.y.y  -->   y.y.y.y is the IP of Site's A inside IP


Check the TX and RX packets on both sites after this.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Thu, 03/18/2010 - 12:15
User Badges:
  • Green, 3000 points or more

Hi,


You're sending the VPN traffic through two different VPN tunnels (configured on the second config).


The ACL applied to the crypto map defines the same traffic for both tunnels, but the first configuration only has one IP, so this is wrong.


Also, please attach the output from the commands:


debug cry isa 155

debug cry ipsec 155


From the ASA, when trying to establish the tunnel and this will let us know exactly where is failing.


Federico.

drikilbride Thu, 03/18/2010 - 12:33
User Badges:

I only have access to the ASDM console for both sites at the moment and I'm not able to run those debug commands.


When you say in the second config (which I assume is SiteB) that I am sending traffic through two different VPN tunnels what do you mean exactly? (Sorry for the silly question).


That ASA should only have one VPN tunnel going to 193.xx.xx.130.


In the morning I will be going to that site and changing its actual internet connection to a new ISP and re-creating the tunnel to 193.xx.xx.130.


On Site A's VPN stats I can see its RX Bytes value increasing but its TX Bytes value is 0.


On Site B's VPN stats I can see its RX Bytes is 0 and its TX Value is increasing.


Would that mean the fault lies with Site A as it isn't transmitting to Site A?


Thanks again for all your help.

Federico Coto F... Thu, 03/18/2010 - 12:39
User Badges:
  • Green, 3000 points or more

Site A has a tunnel pointing to this IP:  194.125.91.30
Is sending traffic from 10.255.0.0/16 to 192.168.19.0/24 through the tunnel.


Site B has two tunnels:
One pointing to IP 62.77.180.162
The other to IP 77.75.100.194
Both tunnels send traffic from 192.168.19.0/24 to 10.255.0.0/16 through the tunnel.

Which one is the correct tunnel on Site B?
In other words, which IP is the correct one to reach Site A 62.77.180.162 or 77.75.100.194?


What you say is correct in terms that there's a problem at Site A that is not TX packets.


Federico.

drikilbride Thu, 03/18/2010 - 12:47
User Badges:

Okay I see what you mean now!


The tunnel to 62.77.180.162 is the old tunnel which I have now actually removed.


The tunnel to 77.75.100.194 was actually a typo from earlier and should read 193.120.xx.xx.


I altered the config slightly after I posted the question, sorry about that.


So at the moment Site A (193.120.XX.XX) has a tunnel to Site B (194.125.XX.XX.) and vice versa.


Site A has the TX Bytes = 0 and Site B has the RX Bytes = 0


Sorry about all the confusion, I hope that makes sense!


Thanks again!

Correct Answer
Federico Coto F... Thu, 03/18/2010 - 12:55
User Badges:
  • Green, 3000 points or more

You can include the command (or from ADSM):


management-access inside


This will allow you to test the VPN tunnel intiating traffic from one side inside IP to the other site inside IP. (In other words, you don't need access to any device on the inside network, just try to initiate the tunnel from the ASA itself).


For example from Site A:


management access-inside

ping inside x.x.x.x    -->    x.x.x.x is the IP of Site's B inside IP


Site B:


management access inside

ping inside y.y.y.y  -->   y.y.y.y is the IP of Site's A inside IP


Check the TX and RX packets on both sites after this.


Federico.

drikilbride Thu, 03/18/2010 - 13:05
User Badges:

No change, the TX on Site A remained at 0 but the RX increased.


On Site B the TX increased but the RX stayed at zero.


Neither ping was successful tho.

Federico Coto F... Thu, 03/18/2010 - 13:12
User Badges:
  • Green, 3000 points or more

If Site's A TX is 0, then the problem is at Site's A.


Site A should bypass NAT and then encrypt the traffic when going to Site B.


The default gateway that you have on Site A has a metric of 255. (This is unreachable, why do you have such metric)?  Do you have Internet access fine from Site A?


Change the command:


no route outside 0.0.0.0 0.0.0.0 xxxxxxxxx 255

to

route outside 0.0.0.0 0.0.0.0 xxxxxxxxx 255


Let's see...


Federico.

drikilbride Thu, 03/18/2010 - 13:25
User Badges:

We have internet access on Site A's firewall. We also have another remote site ( SITE C) coming through Site A

and its fine. Its TX vaule is increasing all the time.


I haven't changed the route command just in case it affects Site C that is up and running.


I bet its something simple I'm missing here!

Federico Coto F... Thu, 03/18/2010 - 13:34
User Badges:
  • Green, 3000 points or more

Please post your current configs exactly as they are now.


Federico.

Federico Coto F... Thu, 03/18/2010 - 13:53
User Badges:
  • Green, 3000 points or more

Sorry to insist, but you're positive that the second tunnel on Site A is not established? (the one you say to ignore in the configuration)?


Is because if this tunnel is established, all traffic intended to Site B, will be sent incorrectly to this other tunnel we should ignore.


Federico.

drikilbride Thu, 03/18/2010 - 14:00
User Badges:

Your fine!


That second tunnel 77.75.xx.xx doesnt even exist yet. It is going to be the new ISP on site B eventually but at the moment its not even hooked up to our system or even to the firewall in Site B.


Just to confirm I have taken a screen shot of the VPN Sessions.


How do I remove it altogether from Site A, just to ensure its not causing confusion somehow.

Attachment: 
Federico Coto F... Thu, 03/18/2010 - 14:08
User Badges:
  • Green, 3000 points or more

Lets remove it anyway...


no crypto map outside_map 2 match address outside_2_cryptomap
no crypto map outside_map 2 set pfs group1
no crypto map outside_map 2 set peer 77.75.XX

no crypto map outside_map 2 set transform-set ESP-3DES-SHA


Let's see if it makes any difference.


Federico.

drikilbride Thu, 03/18/2010 - 14:18
User Badges:

No luck Federico


Still the same. TX's not increasing on Site A for the tunnel but the TX's are increasing on Site B.


I'm lost at this stage.


Thanks for sticking with this as long as you have, its much appreciated.

Federico Coto F... Thu, 03/18/2010 - 14:37
User Badges:
  • Green, 3000 points or more

Hello,


Honestly (unless I'm missing something), I don't see any reason why the tunnel won't establish and pass traffic correctly so far just by looking at the configurations.


Can't you SSH to the ASA to get the debugs?


Federico.

drikilbride Mon, 03/22/2010 - 08:34
User Badges:

Hi Federico


Just to let you know I rebooted both ASA's late last week and everything is working perfectly now!!!


Not sure what was going on.


Thanks again for all your help!

Actions

This Discussion