03-18-2010 06:36 AM - edited 03-11-2019 10:23 AM
Hi
I am trying to set up a Site to Site VPN tunnel between Site A and Site B.
I ran through the VPN wizard on both sides but the tunnel isnt active.
Site B already has one VPN to an IP of 62.77.xx.xx and I need to change this to a new IP.
I will attach both configs,hopefully somebody will spot what I have done wrong.
Thanks
Solved! Go to Solution.
03-18-2010 12:55 PM
You can include the command (or from ADSM):
management-access inside
This will allow you to test the VPN tunnel intiating traffic from one side inside IP to the other site inside IP. (In other words, you don't need access to any device on the inside network, just try to initiate the tunnel from the ASA itself).
For example from Site A:
management access-inside
ping inside x.x.x.x --> x.x.x.x is the IP of Site's B inside IP
Site B:
management access inside
ping inside y.y.y.y --> y.y.y.y is the IP of Site's A inside IP
Check the TX and RX packets on both sites after this.
Federico.
03-18-2010 12:15 PM
Hi,
You're sending the VPN traffic through two different VPN tunnels (configured on the second config).
The ACL applied to the crypto map defines the same traffic for both tunnels, but the first configuration only has one IP, so this is wrong.
Also, please attach the output from the commands:
debug cry isa 155
debug cry ipsec 155
From the ASA, when trying to establish the tunnel and this will let us know exactly where is failing.
Federico.
03-18-2010 12:33 PM
I only have access to the ASDM console for both sites at the moment and I'm not able to run those debug commands.
When you say in the second config (which I assume is SiteB) that I am sending traffic through two different VPN tunnels what do you mean exactly? (Sorry for the silly question).
That ASA should only have one VPN tunnel going to 193.xx.xx.130.
In the morning I will be going to that site and changing its actual internet connection to a new ISP and re-creating the tunnel to 193.xx.xx.130.
On Site A's VPN stats I can see its RX Bytes value increasing but its TX Bytes value is 0.
On Site B's VPN stats I can see its RX Bytes is 0 and its TX Value is increasing.
Would that mean the fault lies with Site A as it isn't transmitting to Site A?
Thanks again for all your help.
03-18-2010 12:39 PM
Site A has a tunnel pointing to this IP: 194.125.91.30
Is sending traffic from 10.255.0.0/16 to 192.168.19.0/24 through the tunnel.
Site B has two tunnels:
One pointing to IP 62.77.180.162
The other to IP 77.75.100.194
Both tunnels send traffic from 192.168.19.0/24 to 10.255.0.0/16 through the tunnel.
Which one is the correct tunnel on Site B?
In other words, which IP is the correct one to reach Site A 62.77.180.162 or 77.75.100.194?
What you say is correct in terms that there's a problem at Site A that is not TX packets.
Federico.
03-18-2010 12:47 PM
Okay I see what you mean now!
The tunnel to 62.77.180.162 is the old tunnel which I have now actually removed.
The tunnel to 77.75.100.194 was actually a typo from earlier and should read 193.120.xx.xx.
I altered the config slightly after I posted the question, sorry about that.
So at the moment Site A (193.120.XX.XX) has a tunnel to Site B (194.125.XX.XX.) and vice versa.
Site A has the TX Bytes = 0 and Site B has the RX Bytes = 0
Sorry about all the confusion, I hope that makes sense!
Thanks again!
03-18-2010 12:55 PM
You can include the command (or from ADSM):
management-access inside
This will allow you to test the VPN tunnel intiating traffic from one side inside IP to the other site inside IP. (In other words, you don't need access to any device on the inside network, just try to initiate the tunnel from the ASA itself).
For example from Site A:
management access-inside
ping inside x.x.x.x --> x.x.x.x is the IP of Site's B inside IP
Site B:
management access inside
ping inside y.y.y.y --> y.y.y.y is the IP of Site's A inside IP
Check the TX and RX packets on both sites after this.
Federico.
03-18-2010 01:05 PM
No change, the TX on Site A remained at 0 but the RX increased.
On Site B the TX increased but the RX stayed at zero.
Neither ping was successful tho.
03-18-2010 01:12 PM
If Site's A TX is 0, then the problem is at Site's A.
Site A should bypass NAT and then encrypt the traffic when going to Site B.
The default gateway that you have on Site A has a metric of 255. (This is unreachable, why do you have such metric)? Do you have Internet access fine from Site A?
Change the command:
no route outside 0.0.0.0 0.0.0.0 xxxxxxxxx 255
to
route outside 0.0.0.0 0.0.0.0 xxxxxxxxx 255
Let's see...
Federico.
03-18-2010 01:25 PM
We have internet access on Site A's firewall. We also have another remote site ( SITE C) coming through Site A
and its fine. Its TX vaule is increasing all the time.
I haven't changed the route command just in case it affects Site C that is up and running.
I bet its something simple I'm missing here!
03-18-2010 01:34 PM
Please post your current configs exactly as they are now.
Federico.
03-18-2010 01:45 PM
03-18-2010 01:53 PM
Sorry to insist, but you're positive that the second tunnel on Site A is not established? (the one you say to ignore in the configuration)?
Is because if this tunnel is established, all traffic intended to Site B, will be sent incorrectly to this other tunnel we should ignore.
Federico.
03-18-2010 02:00 PM
Your fine!
That second tunnel 77.75.xx.xx doesnt even exist yet. It is going to be the new ISP on site B eventually but at the moment its not even hooked up to our system or even to the firewall in Site B.
Just to confirm I have taken a screen shot of the VPN Sessions.
How do I remove it altogether from Site A, just to ensure its not causing confusion somehow.
03-18-2010 02:08 PM
Lets remove it anyway...
no crypto map outside_map 2 match address outside_2_cryptomap
no crypto map outside_map 2 set pfs group1
no crypto map outside_map 2 set peer 77.75.XX
no crypto map outside_map 2 set transform-set ESP-3DES-SHA
Let's see if it makes any difference.
Federico.
03-18-2010 02:18 PM
No luck Federico
Still the same. TX's not increasing on Site A for the tunnel but the TX's are increasing on Site B.
I'm lost at this stage.
Thanks for sticking with this as long as you have, its much appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide