Site to Site VPN on ASA 5505

Answered Question
Mar 18th, 2010

Hi

I am trying to set up a Site to Site VPN tunnel between Site A and Site B.

I ran through the VPN wizard on both sides but the tunnel isnt active.

Site B already has one VPN to an IP of 62.77.xx.xx and I need to change this to a new IP.

I will attach both configs,hopefully somebody will spot what I have done wrong.

Thanks

Attachment: 
I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 10 months ago

You can include the command (or from ADSM):

management-access inside

This will allow you to test the VPN tunnel intiating traffic from one side inside IP to the other site inside IP. (In other words, you don't need access to any device on the inside network, just try to initiate the tunnel from the ASA itself).

For example from Site A:

management access-inside

ping inside x.x.x.x    -->    x.x.x.x is the IP of Site's B inside IP

Site B:

management access inside

ping inside y.y.y.y  -->   y.y.y.y is the IP of Site's A inside IP

Check the TX and RX packets on both sites after this.

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Thu, 03/18/2010 - 12:15

Hi,

You're sending the VPN traffic through two different VPN tunnels (configured on the second config).

The ACL applied to the crypto map defines the same traffic for both tunnels, but the first configuration only has one IP, so this is wrong.

Also, please attach the output from the commands:

debug cry isa 155

debug cry ipsec 155

From the ASA, when trying to establish the tunnel and this will let us know exactly where is failing.

Federico.

drikilbride Thu, 03/18/2010 - 12:33

I only have access to the ASDM console for both sites at the moment and I'm not able to run those debug commands.

When you say in the second config (which I assume is SiteB) that I am sending traffic through two different VPN tunnels what do you mean exactly? (Sorry for the silly question).

That ASA should only have one VPN tunnel going to 193.xx.xx.130.

In the morning I will be going to that site and changing its actual internet connection to a new ISP and re-creating the tunnel to 193.xx.xx.130.

On Site A's VPN stats I can see its RX Bytes value increasing but its TX Bytes value is 0.

On Site B's VPN stats I can see its RX Bytes is 0 and its TX Value is increasing.

Would that mean the fault lies with Site A as it isn't transmitting to Site A?

Thanks again for all your help.

Federico Coto F... Thu, 03/18/2010 - 12:39

Site A has a tunnel pointing to this IP:  194.125.91.30
Is sending traffic from 10.255.0.0/16 to 192.168.19.0/24 through the tunnel.

Site B has two tunnels:
One pointing to IP 62.77.180.162
The other to IP 77.75.100.194
Both tunnels send traffic from 192.168.19.0/24 to 10.255.0.0/16 through the tunnel.

Which one is the correct tunnel on Site B?
In other words, which IP is the correct one to reach Site A 62.77.180.162 or 77.75.100.194?

What you say is correct in terms that there's a problem at Site A that is not TX packets.

Federico.

drikilbride Thu, 03/18/2010 - 12:47

Okay I see what you mean now!

The tunnel to 62.77.180.162 is the old tunnel which I have now actually removed.

The tunnel to 77.75.100.194 was actually a typo from earlier and should read 193.120.xx.xx.

I altered the config slightly after I posted the question, sorry about that.

So at the moment Site A (193.120.XX.XX) has a tunnel to Site B (194.125.XX.XX.) and vice versa.

Site A has the TX Bytes = 0 and Site B has the RX Bytes = 0

Sorry about all the confusion, I hope that makes sense!

Thanks again!

Correct Answer
Federico Coto F... Thu, 03/18/2010 - 12:55

You can include the command (or from ADSM):

management-access inside

This will allow you to test the VPN tunnel intiating traffic from one side inside IP to the other site inside IP. (In other words, you don't need access to any device on the inside network, just try to initiate the tunnel from the ASA itself).

For example from Site A:

management access-inside

ping inside x.x.x.x    -->    x.x.x.x is the IP of Site's B inside IP

Site B:

management access inside

ping inside y.y.y.y  -->   y.y.y.y is the IP of Site's A inside IP

Check the TX and RX packets on both sites after this.

Federico.

drikilbride Thu, 03/18/2010 - 13:05

No change, the TX on Site A remained at 0 but the RX increased.

On Site B the TX increased but the RX stayed at zero.

Neither ping was successful tho.

Federico Coto F... Thu, 03/18/2010 - 13:12

If Site's A TX is 0, then the problem is at Site's A.

Site A should bypass NAT and then encrypt the traffic when going to Site B.

The default gateway that you have on Site A has a metric of 255. (This is unreachable, why do you have such metric)?  Do you have Internet access fine from Site A?

Change the command:

no route outside 0.0.0.0 0.0.0.0 xxxxxxxxx 255

to

route outside 0.0.0.0 0.0.0.0 xxxxxxxxx 255

Let's see...

Federico.

drikilbride Thu, 03/18/2010 - 13:25

We have internet access on Site A's firewall. We also have another remote site ( SITE C) coming through Site A

and its fine. Its TX vaule is increasing all the time.

I haven't changed the route command just in case it affects Site C that is up and running.

I bet its something simple I'm missing here!

Federico Coto F... Thu, 03/18/2010 - 13:53

Sorry to insist, but you're positive that the second tunnel on Site A is not established? (the one you say to ignore in the configuration)?

Is because if this tunnel is established, all traffic intended to Site B, will be sent incorrectly to this other tunnel we should ignore.

Federico.

drikilbride Thu, 03/18/2010 - 14:00

Your fine!

That second tunnel 77.75.xx.xx doesnt even exist yet. It is going to be the new ISP on site B eventually but at the moment its not even hooked up to our system or even to the firewall in Site B.

Just to confirm I have taken a screen shot of the VPN Sessions.

How do I remove it altogether from Site A, just to ensure its not causing confusion somehow.

Attachment: 
Federico Coto F... Thu, 03/18/2010 - 14:08

Lets remove it anyway...

no crypto map outside_map 2 match address outside_2_cryptomap
no crypto map outside_map 2 set pfs group1
no crypto map outside_map 2 set peer 77.75.XX

no crypto map outside_map 2 set transform-set ESP-3DES-SHA

Let's see if it makes any difference.

Federico.

drikilbride Thu, 03/18/2010 - 14:18

No luck Federico

Still the same. TX's not increasing on Site A for the tunnel but the TX's are increasing on Site B.

I'm lost at this stage.

Thanks for sticking with this as long as you have, its much appreciated.

Federico Coto F... Thu, 03/18/2010 - 14:37

Hello,

Honestly (unless I'm missing something), I don't see any reason why the tunnel won't establish and pass traffic correctly so far just by looking at the configurations.

Can't you SSH to the ASA to get the debugs?

Federico.

drikilbride Mon, 03/22/2010 - 08:34

Hi Federico

Just to let you know I rebooted both ASA's late last week and everything is working perfectly now!!!

Not sure what was going on.

Thanks again for all your help!

Actions

This Discussion