I'm having a little trouble with this first of many l2l connections. The 2nd part of phase one seems to be failing and I can't put my finger on it, maybe another set of eyes could help. It's map 870, tunnel-group 126.96.36.199. Thanks in advance for any input.
I tried to pare down the info to just pertinate stuff, but there is still lot there.
Solved! Go to Solution.
You should not use the same acl for all your vpn's.
access-list crypto_map_870 extended permit ip 10.3.0.0 255.255.0.0
access-list crypto_map_870 extended permit ip 188.8.131.52 255.255.255.0 192.168.0.0 255.255.0.0
crypto map qdi 870 match address crypto_map_870
crypto map qdi 870 set peer 184.108.40.206
crypto map qdi 870 set transform-set remotes
I would start there.
Thanks for the idea.
The debug still comes up the same. It seems to only check the first couple of maps and when it doesn't find it's peer it stops. The other maps are not yet in use and most of them will be coming out. The license supports 200 vpn connections so I'm at a loss here.
Made a small error above.
access-list crypto_map_870 extended permit ip 192.168.0.0 255.255.0.0 10.3.0.0 255.255.0.0
Also, if you are not using access list l2ltunnel I would get rid of it as it contains duplications to the new acl you created.
I caught the error and adjusted the ACl. I'm wondering if I need to take all the map entries out and start with just one and build from there? I was hoping I was just missing something obvious. The debug does show the right networks being assigned to the tunnel.
What does your config look like now? I still think it is an issue with the l2ltunnel acl including traffic which should be specific to the tunnel you are trying to bring up, but I of course could be wrong.
In your "show cry isa sa", the "type" should not be saying "user". It should be saying "L2L". Not sure why it's doing that, hopefully someone else can chime in.
I would try moving this one down the list.
no crypto map qdi 70 ipsec-isakmp dynamic remote
crypto map qdi 65535 ipsec-isakmp dynamic remote
Here's part of your issue. You hae a crypto map with tons of stuff defined but most of it is incomplete. When the ASA goes through the map process, it goes in order. Once it hits 60, it stops because it's not complete. To test this, just create a new crypto map with your peer only in it and apply that to the interface, or make sure your map is complete.
You seem to be passing phase IKE already so I think that might be where the issue is.
Just for clarification, I mean that the crpyto map will stop as soon as it gets to a number on there where all the info isn't there. So in your case at least in the new config, it's pretty much everything because you removed the ACL you were attempting to match against before.
It appears moving the map to the head of the class is a winner. I think both ideas come into play here. By moving the map ahead of the dynamic map and the incomplete maps it works. I'm thinking the dynamic map was the main culprit since the other maps were complete originally. So much for trying to get a little ahead. One map at a time is the law. Thanks guys, really apprecitate the extra sets of eyes.