09-04-2015 09:19 AM
Hello,
I have a Site to Site tunnel terminating on my cisco asa. It was working fine but then i changed the NAT config on my external router. Now i am getting this. Any ideas
%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All
configured IKE versions failed to establish the tunnel. Map Tag = mapTag. Map
Sequence Number = mapSeq.
An attempt to bring up an L2L tunnel to a peer failed after trying with all configured protocols.
• mapTag—Name of the crypto map for which the initiation entry was removed
• mapSeq—Sequence number of the crypto map for which the initiation entry was removed
09-04-2015 09:28 AM
please put in the simultaneous crypto debug outputs from both the ends
debug crypto condition peer <peer ip>
debug crypto isakmp 127
debug crypto ipsec 127
09-07-2015 02:10 AM
09-07-2015 05:54 AM
I forgot to say everything was working fine a week ago. But I removed the external internet router and instead now have it plugged straight into the external firewall. NAT that was previously done on the external firewall is now done on the firewall.
Its probably a NAT issue but funny thing is we have several site to site VPNs which are all working. But their one VPN which is built with an IPsec and gre tunnel just doesn't work.
I can ping the external address from the firewall but not ssh or telnet to it anymore as the tunnel is down.
Any ideas what could be missing on the NAT side of things?
09-07-2015 06:18 AM
show crypto isakmp sa
8 IKE Peer: 0.0.0.0
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
09-07-2015 08:07 PM
Why is the IKE peer showing as 0.0.0.0. please share the crypto config from the ASA
09-08-2015 03:57 AM
Its not - it has a proper peer address but I don't want to post it
Their is nothing wrong with the crypto on either side its something to do with NAT - have you any ideas
09-09-2015 11:26 PM
please apply the following capture on both the tunnel end points:
capture capo interface outside match udp host <public ip of local ASA> host <public ip of remote end>
try to initiate tunnel and check if you see udp 500 on both the ends by "show cap capo"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide