Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
18492
Views
0
Helpful
7
Replies

Tunnel Manager has failed to establish an L2L SA

ohareka70
Level 3
Level 3

‎09-04-2015 09:19 AM

Hello,

 

I have a Site to Site tunnel terminating on my cisco asa.  It was working fine but then i changed the NAT config on my external router.  Now i am getting this.  Any ideas

 

%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All

configured IKE versions failed to establish the tunnel. Map Tag = mapTag. Map

Sequence Number = mapSeq.

An attempt to bring up an L2L tunnel to a peer failed after trying with all configured protocols.

 

• mapTag—Name of the crypto map for which the initiation entry was removed

 

• mapSeq—Sequence number of the crypto map for which the initiation entry was removed

1 person had this problem
Labels:
0 Helpful
7 Replies 7

pjain2
Cisco Employee
Cisco Employee

‎09-04-2015 09:28 AM

please put in the simultaneous crypto debug outputs from both the ends

debug crypto condition peer <peer ip>

debug crypto isakmp 127

debug crypto ipsec 127

 

0 Helpful

ohareka70
Level 3
Level 3
In response to pjain2

‎09-07-2015 02:10 AM

Hello,

 

I have attached the reply

 

regards,

Kevin

 

Preview file
3 KB
0 Helpful

ohareka70
Level 3
Level 3
In response to ohareka70

‎09-07-2015 05:54 AM

I forgot to say everything was working fine a week ago.  But I removed the external internet router and instead now have it plugged straight into the external firewall.  NAT that was previously done on the external firewall is now done on the firewall.

Its probably a NAT issue but funny thing is we have several site to site VPNs which are all working.  But their one VPN which is built with an IPsec and gre tunnel just doesn't work.

I can ping the external address from the firewall but not ssh or telnet  to it anymore as the tunnel is down.

Any ideas what could be missing on the NAT side of things?

0 Helpful

ohareka70
Level 3
Level 3
In response to ohareka70

‎09-07-2015 06:18 AM

show crypto isakmp sa

8   IKE Peer: 0.0.0.0

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG2

0 Helpful

pjain2
Cisco Employee
Cisco Employee
In response to ohareka70

‎09-07-2015 08:07 PM

Why is the IKE peer showing as 0.0.0.0. please share the crypto config from the ASA

0 Helpful

ohareka70
Level 3
Level 3
In response to pjain2

‎09-08-2015 03:57 AM

Its not - it has a proper peer address but I don't want to post it

 

Their is nothing wrong with the crypto on either side its something to do with NAT - have you any ideas

0 Helpful

pjain2
Cisco Employee
Cisco Employee
In response to ohareka70

‎09-09-2015 11:26 PM

please apply the following capture on both the tunnel end points:

 

capture capo interface outside match udp host <public ip of local ASA> host <public ip of remote end> 

 

try to initiate tunnel and check if you see udp 500 on both the ends by "show cap capo"

0 Helpful
Customers Also Viewed These Support Documents